[Openstack-security] [Bug 1247217] [NEW] Sanitize passwords when logging payload in wsgi for API Extensions
Brent Tang
btang at us.ibm.com
Fri Nov 1 18:05:55 UTC 2013
Public bug reported:
The fix for bug 1231263 ( https://bugs.launchpad.net/nova/+bug/1231263 )
addressed not logging the clear-text password in the nova wsgi.py module
for the adminPass attribute for the Server Change Password REST API, but
this only addressed that specific attribute. Since Nova has support for
the ability to add REST API Extensions (in the contrib directory), there
could any number of other password-related attributes in the
request/response body for those additional extensions.
Although it would not be possible to know all of the various sensitive
attributes that these API's would pass in the request/response (the only
way to totally eliminate the exposure would be to not log the
request/response which is useful for debugging), I would like to propose
a change similar to the one that was made in keystone (under
https://bugs.launchpad.net/keystone/+bug/1166697) to mask the password
in the log statement for any attribute that contains the "password" sub-
string in it.
The change would in essence be to update the _SANITIZE_KEYS /
_SANITIZE_PATTERNS lists in the nova/api/openstack/wsgi.py module to
include a pattern for the "password" sub-string.
Also, for a slight performance benefit, it may be useful to put a check
in to see if debug logging level is enabled around the debug statement
that does the sanitize call (since the request/response bodies could be
fairly large and wouldn't want to take the hit to do the pattern matches
if debug isn't on).
** Affects: nova
Importance: Undecided
Status: Confirmed
** Tags: api security
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1247217
Title:
Sanitize passwords when logging payload in wsgi for API Extensions
Status in OpenStack Compute (Nova):
Confirmed
Bug description:
The fix for bug 1231263 ( https://bugs.launchpad.net/nova/+bug/1231263
) addressed not logging the clear-text password in the nova wsgi.py
module for the adminPass attribute for the Server Change Password REST
API, but this only addressed that specific attribute. Since Nova has
support for the ability to add REST API Extensions (in the contrib
directory), there could any number of other password-related
attributes in the request/response body for those additional
extensions.
Although it would not be possible to know all of the various sensitive
attributes that these API's would pass in the request/response (the
only way to totally eliminate the exposure would be to not log the
request/response which is useful for debugging), I would like to
propose a change similar to the one that was made in keystone (under
https://bugs.launchpad.net/keystone/+bug/1166697) to mask the password
in the log statement for any attribute that contains the "password"
sub-string in it.
The change would in essence be to update the _SANITIZE_KEYS /
_SANITIZE_PATTERNS lists in the nova/api/openstack/wsgi.py module to
include a pattern for the "password" sub-string.
Also, for a slight performance benefit, it may be useful to put a
check in to see if debug logging level is enabled around the debug
statement that does the sanitize call (since the request/response
bodies could be fairly large and wouldn't want to take the hit to do
the pattern matches if debug isn't on).
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1247217/+subscriptions
More information about the Openstack-security
mailing list