ASF GitHub Bot commented on BROOKLYN-405:

GitHub user aledsage opened a pull request:


    BROOKLYN-405: ssh doesn't log password environment variables

    First commit just tidies up tests (allowing more of them to run as unit 
    Second commit actually changes non-test code.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/aledsage/brooklyn-server BROOKLYN-405

Alternatively you can review and apply these changes as the patch at:


To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #475
commit e5b40cc1866854d8966099c26ea44a62cd9c3196
Author: Aled Sage <aled.s...@gmail.com>
Date:   2016-12-01T08:26:56Z

    SshMachineLocationTest: make non-integration
    * Uses RecordingSshTool
    * Moves integration tests into SshMachineLocationIntegrationTest
    * Changes SshMachineLocationIntegrationTest to extends 

commit 0e509420c052534a0378adc3b3b94b24ef0898ac
Author: Aled Sage <aled.s...@gmail.com>
Date:   2016-12-01T08:50:22Z

    BROOKLYN-405: ssh doesn't log password environment variables


> Passwords in environment variables logged by brooklyn.SSH debug
> ---------------------------------------------------------------
>                 Key: BROOKLYN-405
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-405
>             Project: Brooklyn
>          Issue Type: Bug
>            Reporter: Aled Sage
> In Brooklyn 0.10.0-SNAPSHOT
> Passwords that are set in {{shell.env}} (and thus passed into 
> {{check-running}} etc) are being logged in plain-text.
> Admittedly I'm not using an external credential store, but I suspect that 
> even if I was then this would still happen.
> We should be calling {{Sanitizer.sanitize(env)}} for our logging.
> {noformat}
> 2016-11-30 11:25:43,520 DEBUG 117 b.SSH [ger-Lh7ezXs6-213] check-running 
> VanillaSoftwareProcessImpl{id=enztuvtelc}, initiating ssh on machine 
> SshMachineLocation[] 
> (env {ADMIN_PASSWORD=GoXcLbqo6Oxg, DB_USER=micro-user, ADMIN_USER=admin, DB_UR
> L=mysql://, DB_PASSWORD=tZdPPP9tBSfRTrt, 
> PID_FILE=/home/users/amp/brooklyn-managed-processes/apps/bv6tlh58aw/entities/VanillaSoftwareProcess_enztuvtelc/pid.txt}):
>  #!/bin/bash -e
>  ; export 
> INSTALL_DIR="/home/users/amp/brooklyn-managed-processes/installs/VanillaSoftwareProcess_0.0.0_bFlJaB"
>  ; export 
> RUN_DIR="/home/users/amp/brooklyn-managed-processes/apps/bv6tlh58aw/entities/VanillaSoftwareProcess_enztuvtelc"
>  ; mkdir -p $RUN_DIR ; cd $RUN_DIR ; counter=`wget -T 15 -q -O- ${
> HOST_ADDRESS}:8080/health --http-user=${ADMIN_USER} 
> --http-password=${ADMIN_PASSWORD} | grep -c "status.:.UP"`
> if [ $counter -eq 0 ]; then 
>   exit 1;
> fi
> {noformat}

This message was sent by Atlassian JIRA

Reply via email to