As discussed in this PR, it is possible for a client (authenticated or not) to "SPAM" and corrupt the audit log.
As far as I can tell, the following works on any server, because the digest provider is always active and accepts (almost) arbitrary strings:
Note that "whatever" in the example above doesn't have to be a known or valid password. Similarly, the string to the left of : is not validated in any way; it is just copied as-is into the Id associated with the connection.
This results in entries akin to the following in the audit log:
Note how the scheme is not mentioned; all that is visible is the "user name" part of the Id.
This could lead an hypothetical audit application to conclude that it was okay for that connection to create /dangerousnode because it was "seriously" authenticated as veryimportant@EXAMPLE.COM.
It is possible to use that loophole to corrupt the audit log in various ways, including creating fake entries. It is not even necessary to use a dedicated client; Ctrl+Q Ctrl+J can cause literal newlines to be inserted via zkCli.sh:
The result is a "two-line entry" in the audit log:
I would suggest:
- Adding a setting which allows disabling the digest provider on production servers;
- Filtering (or quoting/escaping/censoring) the user names/principals which are written to the audit log (by scheme, or perhaps by dangerous characters).