[
https://issues.apache.org/jira/browse/CASSANDRA-21148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18055332#comment-18055332
]
Brandon Williams commented on CASSANDRA-21148:
----------------------------------------------
This is why CASSANDRA-6660 added the password file.
> Nodetool history leaks password when using equals sign syntax (-pw=password)
> ----------------------------------------------------------------------------
>
> Key: CASSANDRA-21148
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21148
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Tool/nodetool
> Reporter: Cyl
> Priority: Normal
>
> {*}Description{*}: The vulnerability exists in the {{nodetool}} command-line
> tool. When users execute commands, {{nodetool}} saves the command history to
> {{{}~/.cassandra/nodetool.history{}}}. Although the code attempts to hide
> passwords using a regular expression, the original regex only matches
> space-separated passwords (e.g., {{{}-pw password{}}}), but fails to handle
> equals-sign-separated passwords (e.g., {{{}-pw=password{}}}).
> {*}File{*}: {{src/java/org/apache/cassandra/tools/NodeTool.java}}
> {*}Method{*}: {{printHistory}}
> {*}Vulnerable Code{*}:
> ```java
> // Original Regex: Only matches whitespace \s+ after -pw
> cmdLine = cmdLine.replaceFirst("(?<=(-pw|--password))\\s+\\S+", " <hidden>");
> ```
> {*}Logic{*}: The regex {{(?<=(-pw|--password))\\s+\\S+}} explicitly requires
> whitespace ({{{}\s+{}}}) after the flag. If a user uses the assignment syntax
> supported by many CLI parsers (including airline used by Cassandra) like
> {{{}-pw=secret{}}}, the regex fails to match, and the password is written to
> the history file in plain text.
> *Impact* Sensitive JMX passwords are leaked in plain text in the
> {{~/.cassandra/nodetool.history}} file. While less critical than a public log
> leak, it persists credentials on disk in a readable file that might be backed
> up or viewed by other users with read access to the home directory.
> *Reproduction*
> # Build the project.
> # Run nodetool with the equals sign syntax: {{bin/nodetool
> -pw=secretpassword help}}
> # Check the history file: {{cat ~/.cassandra/nodetool.history}}
> {*}Observed Result{*}:
>
> {{2025-12-04 06:36:10,690: -p 7199 -pw=secretpassword help}}
> *Fix* Modify the regular expression to support both space and equals sign
> separators.
> {*}Fixed Code{*}:
> ```java
> // New Regex: Matches whitespace \s+ OR equals sign =
> cmdLine = cmdLine.replaceFirst("(?<=(-pw|--password))(\\s+|=)\\S+", "
> <hidden>");
> ```
> {*}Environment{*}: Linux, Cassandra trunk
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
