[ 
https://issues.apache.org/jira/browse/BROOKLYN-10?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14354804#comment-14354804
 ] 

ASF GitHub Bot commented on BROOKLYN-10:
----------------------------------------

GitHub user robertgmoss opened a pull request:

    https://github.com/apache/incubator-brooklyn/pull/546

    Add recursive sanitation and move to own class

    Deprecates the existing method in Entities and updates all references.  
Partial fix for BROOKLYN-10

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/robertgmoss/incubator-brooklyn 
fix/leaking-secrets

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-brooklyn/pull/546.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #546
    
----
commit 2f99f2515bf5a4cfd7d87210c207346dd67bff60
Author: Robert Moss <[email protected]>
Date:   2015-03-10T12:01:11Z

    Add recursive sanitation and move to own class
    
    Deprecates the existing method in Entities and updates all references.

----


> Dumping sensitive information in the debug log
> ----------------------------------------------
>
>                 Key: BROOKLYN-10
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-10
>             Project: Brooklyn
>          Issue Type: Bug
>            Reporter: Svetoslav Neykov
>
> Brooklyn dumps sensitive information in the debug log like passwords and 
> private keys. I tracked it (at least) to the following locations
>   * brooklyn.entity.software.MachineLifecycleEffectorTasks. 
> provisionAsync(MachineProvisioningLocation<?>) (current line is 239)
> Entities.sanitize goes just one level deep, leaving deeper info untouched (in 
> this case the config object)
>   * brooklyn.location.basic.BasicLocationRegistry.updateDefinedLocations() 
> (current line is 153)
> definedLocations.values() is not sanitized at all, leaving all the info from 
> the properties file visible



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to