[SERVER-34003] passwords are not redacted from unrecognized commands Created: 20/Mar/18 Updated: 29/Oct/23 Resolved: 04/May/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 4.0.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Gabriel Russell (Inactive) | Assignee: | Billy Donahue |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Sprint: | Platforms 2018-04-09, Platforms 2018-04-23, Platforms 2018-05-07 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
if I run the createUse command as opposed to createUser:
I get no less then three copies of the password in the log:
|
| Comments |
| Comment by Githook User [ 04/May/18 ] | |||||
|
Author: {'email': 'billy.donahue@mongodb.com', 'name': 'Billy Donahue', 'username': 'BillyDonahue'}Message: | |||||
| Comment by Billy Donahue [ 04/May/18 ] | |||||
|
with
, here's what you get:
This ticket seems to be about a backstop redaction even for cases where --redactClientLogData isn't active.
| |||||
| Comment by Kevin Pulo [ 04/May/18 ] | |||||
|
If --redactClientLogData is used, won't the "secret" in this log line be replaced by "xxx"? Not sure what else could realistically be done about this — not printing the cmdObj for unknown commands is fine, except what happens if the sensitive info is accidentally in the parameters of a valid command? There's no general way for the server to guess what might be sensitive, which is precisely why --redactClientLogData exists. | |||||
| Comment by Billy Donahue [ 03/May/18 ] | |||||
|
Since we don't know which Command was intended, we can't tell what's a password and what isn't. Maybe we should just not print the cmdObj whenever there's a CommandNotFound. |