Sanitize passwords when Network Traffic debugging is enabled

XMLWordPrintable

      Login attempts for users managed externally (i.e. JIRA/Crowd) logs the user's password in FishEye logs if the Network Traffic is enabled.

      I think the password should be sanitized, because:

      • This information is generally not important for troubleshooting of most issues.
      • Users would have sensitive information exposed in the logs.
      • FishEye administrators could enable Network Traffic, being able to see other users passwords just by checking the logs.

      Steps to Reproduce

      • Connect FishEye to JIRA for user management.
      • In FishEye, enable debug logging with Network Traffic.
      • Attempt to login with a user managed by JIRA. The following shows up in FishEye logs: 
        2015-01-14 15:53:22,259 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - >> "POST /jira/rest/usermanagement/1/authentication?username=psouza HTTP/1.1[\r][\n]"
2015-01-14 15:53:22,261 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - >> "Accept: application/xml[\r][\n]"
2015-01-14 15:53:22,261 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - >> "Authorization: Basic RmlzaEV5ZTpGaXNoRXll[\r][\n]"
2015-01-14 15:53:22,262 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - >> "User-Agent: Jakarta Commons-HttpClient/3.1[\r][\n]"
2015-01-14 15:53:22,262 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - >> "Host: localhost:8443[\r][\n]"
2015-01-14 15:53:22,263 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - >> "Cookie: $Version=0; JSESSIONID=AF0B9EEDE74CA02061D2BBABE8082BE2; $Path=/jira/[\r][\n]"
2015-01-14 15:53:22,263 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - >> "Cookie: $Version=0; atlassian.xsrf.token=BW4V-XIP4-8OTA-8Y1I|3c3e8186c830288dabc59320f94113a71a14f118|lout; $Path=/jira[\r][\n]"
2015-01-14 15:53:22,264 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - >> "Content-Length: 103[\r][\n]"
2015-01-14 15:53:22,264 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - >> "Content-Type: application/xml[\r][\n]"
2015-01-14 15:53:22,265 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - >> "[\r][\n]"
2015-01-14 15:53:22,265 DEBUG [qtp1695846316-409 ] httpclient.wire.content Wire-wire - >> "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>[\n]"
2015-01-14 15:53:22,266 DEBUG [qtp1695846316-409 ] httpclient.wire.content Wire-wire - >> "<password>[\n]"
2015-01-14 15:53:22,266 DEBUG [qtp1695846316-409 ] httpclient.wire.content Wire-wire - >> "    <value>1234</value>[\n]"
2015-01-14 15:53:22,267 DEBUG [qtp1695846316-409 ] httpclient.wire.content Wire-wire - >> "</password>[\n]"
2015-01-14 15:53:22,353 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "HTTP/1.1 200 OK[\r][\n]"
2015-01-14 15:53:22,353 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "HTTP/1.1 200 OK[\r][\n]"
2015-01-14 15:53:22,355 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "Server: Apache-Coyote/1.1[\r][\n]"
2015-01-14 15:53:22,355 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "X-AREQUESTID: 953x1634x1[\r][\n]"
2015-01-14 15:53:22,356 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "X-ASESSIONID: 1nwphv2[\r][\n]"
2015-01-14 15:53:22,358 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "X-Embedded-Crowd-Version: JIRA/6.2.3[\r][\n]"
2015-01-14 15:53:22,359 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "X-Crowd-User-Management-Version: 1.4[\r][\n]"
2015-01-14 15:53:22,359 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "X-Seraph-LoginReason: AUTHENTICATED_FAILED[\r][\n]"
2015-01-14 15:53:22,360 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "X-AUSERNAME: anonymous[\r][\n]"
2015-01-14 15:53:22,360 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "Cache-Control: no-cache, no-store, no-transform[\r][\n]"
2015-01-14 15:53:22,360 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "X-Content-Type-Options: nosniff[\r][\n]"
2015-01-14 15:53:22,360 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "Content-Type: application/xml;charset=UTF-8[\r][\n]"
2015-01-14 15:53:22,361 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "Content-Length: 658[\r][\n]"
2015-01-14 15:53:22,361 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "Date: Wed, 14 Jan 2015 17:53:22 GMT[\r][\n]"
2015-01-14 15:53:22,361 DEBUG [qtp1695846316-409 ] httpclient.wire.header Wire-wire - << "[\r][\n]"

      The password:

      2015-01-14 15:53:22,266 DEBUG [qtp1695846316-409 ] httpclient.wire.content Wire-wire - >> "    <value>1234</value>[\n]"

        1. passwordsInWireTraffic.png
          passwordsInWireTraffic.png
          34 kB

              Assignee:
              Unassigned
              Reporter:
              Gustavo Refosco (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: