St2 auth logs leak sensitive information
nzlosh opened this issue · comments
SUMMARY
St2 writes http requests with unsanitised username/password pair to st2.auth.log when log level set to DEBUG.
STACKSTORM VERSION
st2 3.8.0, on Python 3.6.9
OS, environment, install method
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
Install method: manual (https://docs.stackstorm.com/install/u18.html)
Steps to reproduce the problem
- Configure
st2.confauth section using LDAP backend
[auth]
host = 127.0.0.1
port = 9100
use_ssl = False
debug = True
enable = True
logging = /etc/st2/logging.auth.conf
mode = standalone
backend = ldap
backend_kwargs = { "bind_dn": "cn=st2,dc=example,dc=net", "bind_password": "xxxx", "base_ou": "dc=example,dc=com", "group_dns": ["cn=stackstorm users", "cn=stackstorm admins"], "host": "localhost", "port": 389, "use_ssl": false }
-
Login via st2 cli
st2 auth st2admin -t -
Review log entries in
st2.auth.log
Logged http request contains Authorization header with username/password.
2023-05-13 09:52:17,208 140432424245856 DEBUG router [-] Received call with WebOb: POST /tokens HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Basic c3QyYWRtaW46TGVha2VkUGFzc3dvcmQK
Connection: keep-alive
Content-Length: 2
Content-Type: application/json
Host: 127.0.0.1:9100
User-Agent: python-requests/2.25.1
X-Request-Id: 52ad53f1-9942-4b31-95c6-cb12e442f77a
{}
Authorization is plain text base64 encoded: base64 -d <<<c3QyYWRtaW46TGVha2VkUGFzc3dvcmQK st2admin:LeakedPassword
Expected Results
In order of preference:
- remove/obfuscate the ``Authorization` header
- don't log the request, just the call url.
Actual Results
Authentication secrets leaked in plain text through logs.