Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-5117

Kafka Connect REST endpoints reveal Password typed values

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      A Kafka Connect connector can specify ConfigDef keys as type of Password. This type was added to prevent logging the values (instead "[hidden]" is logged).

      This change does not apply to the values returned by executing a GET on connectors/{connector-name} and connectors/{connector-name}/config. This creates an easily accessible way for an attacker who has infiltrated your network to gain access to potential secrets that should not be available.

      I have started on a code change that addresses this issue by parsing the config values through the ConfigDef for the connector and returning their output instead (which leads to the masking of Password typed configs as [hidden]).

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            ChrisEgerton Chris Egerton
            tholmes Thomas Holmes
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment