[SERVER-33857] Missing log redaction due to confusion with Command::redactForLogging() Created: 13/Mar/18 Updated: 29/Oct/23 Resolved: 26/Mar/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.6.3, 3.7.2 |
| Fix Version/s: | 3.4.17, 3.6.7, 3.7.4 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | David Storch | Assignee: | Gabriel Russell (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Backport Requested: |
v3.6, v3.4
|
||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
The existing Command::redactForLogging() predates the --redactClientLogData feature. The two are unrelated. The latter was introduced in 3.4, and when enabled, strips any PII from the logs. The former, on the other hand, is always enabled, and is used to strip password data (as well as to avoid overlong write command lines). We appear to have confused these two redaction functions, resulting in a places where redaction is missing: https://github.com/mongodb/mongo/blob/master/src/mongo/db/service_entry_point_common.cpp#L713-L714 https://github.com/mongodb/mongo/blob/master/src/mongo/db/service_entry_point_common.cpp#L758-L762 https://github.com/mongodb/mongo/blob/master/src/mongo/db/service_entry_point_common.cpp#L766-L770 https://github.com/mongodb/mongo/blob/master/src/mongo/db/service_entry_point_common.cpp#L836-L837 Should ServiceEntryPointCommon::getRedactedCopyForLogging() also call redact(const BSONObj&)? |
| Comments |
| Comment by Githook User [ 23/Jul/18 ] |
|
Author: {'username': 'gabrielrussell', 'name': 'Gabriel Russell', 'email': 'gabriel.russell@mongodb.com'}Message: |
| Comment by Githook User [ 23/Jul/18 ] |
|
Author: {'name': 'Gabriel Russell', 'email': 'gabriel.russell@mongodb.com', 'username': 'gabrielrussell'}Message: |
| Comment by Githook User [ 26/Mar/18 ] |
|
Author: {'email': 'gabriel.russell@mongodb.com', 'name': 'Gabriel Russell', 'username': 'gabrielrussell'}Message: |