Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
3.14.9, 3.20.6
-
Unknown
-
Important
Description
I found that some part of the metrics, specifically CamelExchangeEventNotifier_seconds_* contain authentication parameters like authUsername and authPassword in the endpoint labels.
I believe this is incorrect because it is collected by `MeterRegistry` (PrometheusMeterRegistry in my case) and returned on endpoint /actuator/prometheus (if you are using SpringBoot Actuator as me) as plain text.
Therefore, anyone who can access the metrics can also obtain your credentials.
Details:
Step 1: Create route with http producer
from("direct:simple") .setHeader(Exchange.HTTP_METHOD, simple("GET")) .to(http("0.0.0.0:34001/stub") .authenticationPreemptive(true) .authMethod("Basic") .authUsername("login") .authPassword("my-super-secret-password"));
Step 2: Call this route
producerTemplate.sendBody("direct:simple", "test");
Step 3: Done. Now CollectorRegistry contains your secrets in labels
var iterator = prometheusMeterRegistry.getPrometheusRegistry().metricFamilySamples(); Writer writer = new StringWriter(16); //same writer used Spring Boot Actuator TextFormat.write004(writer, iterator); var result = writer.toString();
Example:
CamelExchangeEventNotifier_seconds_max{camelContext=\"camel-1\",endpointName=\"http://0.0.0.0:34001/stub?authUsername=login&authenticationPreemptive=true&authMethod=Basic&authPassword=my-super-secret-password\",eventType=\"ExchangeSentEvent\",failed=\"false\",serviceName=\"MicrometerEventNotifierService\",} 0.222
I have pushed the complete example project - https://github.com/Akvel/example-password-in-metric-key