[SERVER-34003] passwords are not redacted from unrecognized commands Created: 20/Mar/18  Updated: 29/Oct/23  Resolved: 04/May/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.0.0

Type: Bug Priority: Major - P3
Reporter: Gabriel Russell (Inactive) Assignee: Billy Donahue
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-33302 Missing log redaction for a few failu... Closed
related to SERVER-33857 Missing log redaction due to confusio... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Platforms 2018-04-09, Platforms 2018-04-23, Platforms 2018-05-07
Participants:

 Description   

if I run the createUse command as opposed to createUser:

db.runCommand({ createUse: "foo" , pwd: "secret"})

I get no less then three copies of the password in the log:

[gabriel@earthshaker mongo-linux]$ ./mongod -vvvvv 2>&1 | grep secret                                                                                                                                                                                                                       
2018-03-20T12:57:06.470-0400 D -        [conn1] User Assertion: CommandNotFound: no such command: 'createUse', bad cmd: '{ createUse: "foo", pwd: "secret", $db: "test" }' src/mongo/db/service_entry_point_common.cpp 844                                                                  
2018-03-20T12:57:06.470-0400 D COMMAND  [conn1] assertion while executing command 'createUse' on database 'test': CommandNotFound: no such command: 'createUse', bad cmd: '{ createUse: "foo", pwd: "secret", $db: "test" }'                                                                
2018-03-20T12:57:06.470-0400 I COMMAND  [conn1] command test.$cmd appName: "MongoDB Shell" command: { createUse: "foo", pwd: "secret", $db: "test" } numYields:0 ok:0 errMsg:"no such command: 'createUse', bad cmd: '{ createUse: \"foo\", pwd: \"secret\", $db: \"test\" }'" errName:CommandNotFound errCode:59 reslen:187 locks:{} protocol:op_msg 0ms          



 Comments   
Comment by Githook User [ 04/May/18 ]

Author:

{'email': 'billy.donahue@mongodb.com', 'name': 'Billy Donahue', 'username': 'BillyDonahue'}

Message: SERVER-34003 redact payload of unknown commands from logs
Branch: master
https://github.com/mongodb/mongo/commit/00db1ee9d23447d935edf893e3cf0875904fe999

Comment by Billy Donahue [ 04/May/18 ]

kevin.pulo,

with

--redactClientLogData

, here's what you get:

 

$ ./mongod --redactClientLogData -vvvvv 2>&1
2018-05-04T11:07:41.366-0400 D COMMAND  [conn1] no such command: 'createUse'
2018-05-04T11:07:41.366-0400 D -        [conn1] User Assertion: CommandNotFound: ### src/mongo/db/service_entry_point_common.cpp 981
2018-05-04T11:07:41.366-0400 I COMMAND  [conn1] command test.$cmd appName: "MongoDB Shell" command: unrecognized numYields:0 ok:0 errMsg:"###" errName:CommandNotFound errCode:59 reslen:119 locks:{} protocol:op_msg 0ms

 

This ticket seems to be about a backstop redaction even for cases where --redactClientLogData isn't active.

 

Comment by Kevin Pulo [ 04/May/18 ]

If --redactClientLogData is used, won't the "secret" in this log line be replaced by "xxx"?

Not sure what else could realistically be done about this — not printing the cmdObj for unknown commands is fine, except what happens if the sensitive info is accidentally in the parameters of a valid command? There's no general way for the server to guess what might be sensitive, which is precisely why --redactClientLogData exists.

Comment by Billy Donahue [ 03/May/18 ]

Since we don't know which Command was intended, we can't tell what's a password and what isn't.

Maybe we should just not print the cmdObj whenever there's a CommandNotFound.

Generated at Thu Feb 08 04:35:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.