Hide Plaintext Password Exposure & API Keys

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major - P3
    • vNext
    • Affects Version/s: None
    • Component/s: None
    • None
    • Iteration J (Aug 25 - Sept 8)
    • Not Needed

      From Industry solutions doc: 

      https://docs.google.com/document/d/1XbU-wNLy940AbstFwsdxptM3rMOQqgLBa3oTfJL4H2I/edit?disco=AAABlnpkfyo

       

      Critical. Plaintext Password Exposure: ** Passwords were explicitly shown in plaintext in test logs when querying connection details for both local and MongoDB Atlas instances, and during the creation of a new database user (readonly_user). This is a severe security vulnerability.

      Nikola

      This is a valid issue - we redact connection strings, but don't redact passwords. We do instruct the agent not to generate a password if the user hasn't specified one, but we don't explicitly redact it before logging.

       

      Three issues to fix as part of this ticket:

      1. Check to make sure we do not log pw when we create a user & pass when users connect to an atlas cluster. First step here is to test and make sure we don't log the connection string here.
      2. The config resource stores API keys, we should verify logs don't leak sensitive creds.
      3. Redact sensitive info from error stack traces – might able to leverage what we use on monogsh.

            Assignee:
            Kevin Mas Ruiz
            Reporter:
            Gaurab Aryal
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: