YLChen-007 opened a new issue, #11987: URL: https://github.com/apache/cloudstack/issues/11987
## **Description:** ### Summary The `ApiServer.handleRequest()` method logs all API request parameters at TRACE level without sanitizing sensitive credentials, leading to exposure of passwords, secret keys, and authentication tokens in log files. --- ### Vulnerability Details #### Location - **File**: `server/src/main/java/com/cloud/api/ApiServer.java` - **Method**: `handleRequest()` - **Specific Line**: https://github.com/apache/cloudstack/blob/dbda673e1fa813856deb0f0b6328dad0222b702c/server/src/main/java/com/cloud/api/ApiServer.java#L630 #### Issue Description When a command is missing or during request processing, the method emits **every request parameter and its value** at TRACE log level without any sanitization. This includes sensitive fields such as: - `password` (e.g., from `DefaultResetPasswordAPIAuthenticatorCmd` and other authentication commands) - `secretkey` (API secret keys) - `apikey` (API keys) - Authentication tokens - Any other caller-supplied credentials **Impact**: All sensitive credentials passed through API requests are logged in plaintext, making them accessible through: - Log files on disk - Centralized logging systems - Log aggregation platforms - System monitoring tools --- ### Recommended Fix #### Mask Sensitive Fields Before Logging Use existing utility methods to sanitize parameters before logging: ```java // Use StringUtils.cleanString() combined with explicit field scrubbing Map<String, Object> sanitizedParams = new HashMap<>(params); List<String> sensitiveFields = Arrays.asList("password", "secretkey", "apikey", "token", "sessionkey"); for (String field : sensitiveFields) { if (sanitizedParams.containsKey(field)) { sanitizedParams.put(field, "******"); } } // Log sanitized parameters LOGGER.trace("Request parameters: {}", sanitizedParams); ``` --- ### References - OWASP Logging Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html - CWE-532: https://cwe.mitre.org/data/definitions/532.html - PCI-DSS Requirement 3.4: Render PAN unreadable (applies to all sensitive data) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
