Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-2733

Remove System Information Leak in Authentication.java

Agile BoardAttach filesAttach ScreenshotVotersStop watchingWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 0.7.3, 0.8.0
    • security
    • None

    Description

      An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.
      In the file Authentication.java,

      Line 137: LOG.debug("Encrypted user key is {}", userKey);
Line 148: LOG.debug("IV is {}, IV length is {}", initVector, initVector.length());

      These lines may print information which can reveal some important data to user making it vulnerable to attacks, we should not log this sensitive information.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            yanboliang Yanbo Liang
            yanboliang Yanbo Liang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Stop watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment