1561316811 opened a new issue, #8852:
URL: https://github.com/apache/cloudstack/issues/8852
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
Cloud-Sever
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on the
main branch.
-->
~~~
commit ID: 45d267ccbf2749c547cbbbac4a2cb1f3351dcaf2 on the main branch.
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network,
advanced networking, etc. N/A otherwise
-->
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
##### SUMMARY
<!-- Explain the problem/feature briefly -->
The sensitive information of request.getRequestLine() may leak through
logger.warn(message);
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal
test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
<!-- Paste example playbooks or commands between quotes below -->
~~~
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
~~~
~~~
#### error code location
com.cloud.api.ApiServer#handle
~~~
```
public void handle(final HttpRequest request, final HttpResponse response,
final HttpContext context) throws HttpException, IOException {
// Create StringBuffer to log information in access log
final StringBuilder sb = new StringBuilder();
final HttpServerConnection connObj =
(HttpServerConnection)context.getAttribute("http.connection");
if (connObj instanceof SocketHttpServerConnection) {
final InetAddress remoteAddr =
((SocketHttpServerConnection)connObj).getRemoteAddress();
sb.append(remoteAddr.toString() + " -- ");
}
sb.append(StringUtils.cleanString(request.getRequestLine().toString()));
try {
List<NameValuePair> paramList = null;
try {
paramList = URLEncodedUtils.parse(new
URI(request.getRequestLine().getUri()), HttpUtils.UTF_8);
} catch (final URISyntaxException e) {
logger.error("Error parsing url request", e);
}
// Use Multimap as the parameter map should be in the form
(name=String, value=String[])
// So parameter values are stored in a list for the same name key
// APITODO: Use Guava's (import com.google.common.collect.Multimap;)
// (Immutable)Multimap<String, String> paramMultiMap =
HashMultimap.create();
// Map<String, Collection<String>> parameterMap =
paramMultiMap.asMap();
final Map parameterMap = new HashMap<String, String[]>();
String responseType = HttpUtils.RESPONSE_TYPE_XML;
if(paramList != null) {
for (final NameValuePair param : paramList) {
if (param.getName().equalsIgnoreCase("response")) {
responseType = param.getValue();
continue;
}
if(parameterMap.putIfAbsent(param.getName(), new
String[]{param.getValue()}) != null) {
String message = String.format("Query parameter '%s' has
multiple values [%s, %s]. Only the last value will be respected." +
"It is advised to pass only a single parameter",
param.getName(), param.getValue(), parameterMap.get(param.getName()));
logger.warn(message); //out put param
}
}
}
// Get the type of http method being used.
parameterMap.put("httpmethod", new String[]
{request.getRequestLine().getMethod()});
// Check responseType, if not among valid types, fallback to JSON
if (!(responseType.equals(HttpUtils.RESPONSE_TYPE_JSON) ||
responseType.equals(HttpUtils.RESPONSE_TYPE_XML))) {
responseType = HttpUtils.RESPONSE_TYPE_XML;
}
try {
//verify that parameter is legit for passing via admin port
String[] command = (String[]) parameterMap.get("command");
if (command != null) {
Class<?> cmdClass = getCmdClass(command[0]);
if (cmdClass != null) {
List<Field> fields =
ReflectUtil.getAllFieldsForClass(cmdClass, BaseCmd.class);
for (Field field : fields) {
Parameter parameterAnnotation =
field.getAnnotation(Parameter.class);
if ((parameterAnnotation == null) ||
!parameterAnnotation.expose()) {
continue;
}
Object paramObj =
parameterMap.get(parameterAnnotation.name());
if (paramObj != null) {
if (!parameterAnnotation.acceptedOnAdminPort()) {
throw new
ServerApiException(ApiErrorCode.ACCOUNT_ERROR, "Parameter " +
parameterAnnotation.name() + " can't be passed through the API integration
port");
}
}
}
}
}
// always trust commands from API port, user context will always
be UID_SYSTEM/ACCOUNT_ID_SYSTEM
CallContext.register(accountMgr.getSystemUser(),
accountMgr.getSystemAccount());
sb.insert(0, "(userId=" + User.UID_SYSTEM + " accountId=" +
Account.ACCOUNT_ID_SYSTEM + " sessionId=" + null + ") ");
final String responseText = handleRequest(parameterMap,
responseType, sb);
sb.append(" 200 " + ((responseText == null) ? 0 :
responseText.length()));
writeResponse(response, responseText, HttpStatus.SC_OK,
responseType, null);
} catch (final ServerApiException se) {
final String responseText = getSerializedApiError(se,
parameterMap, responseType);
writeResponse(response, responseText,
se.getErrorCode().getHttpCode(), responseType, se.getDescription());
sb.append(" " + se.getErrorCode() + " " + se.getDescription());
} catch (final RuntimeException e) {
// log runtime exception like NullPointerException to help
identify the source easier
logger.error("Unhandled exception, ", e);
throw e;
}
} finally {
logger.info(sb.toString());
CallContext.unregister();
}
}
```
~~~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
