[ https://issues.apache.org/jira/browse/KAFKA-5117?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16017689#comment-16017689 ]
Thomas Holmes commented on KAFKA-5117: -------------------------------------- I had some code that seems to work but I'm not very happy with it. I'll try to clean it up a bit and get a PR made so the approach/impact can be discussed. One main thing I was concerned about was whether or not the connectors use these endpoints to share task configuration. I was seeing some instability when running my code change so I am unsure if it was related or not. I didn't get a chance to fully diagnose the situation, though. > Kafka Connect REST endpoints reveal Password typed values > --------------------------------------------------------- > > Key: KAFKA-5117 > URL: https://issues.apache.org/jira/browse/KAFKA-5117 > Project: Kafka > Issue Type: Bug > Components: KafkaConnect > Affects Versions: 0.10.2.0 > Reporter: Thomas Holmes > > A Kafka Connect connector can specify ConfigDef keys as type of Password. > This type was added to prevent logging the values (instead "[hidden]" is > logged). > This change does not apply to the values returned by executing a GET on > {{connectors/\{connector-name\}}} and > {{connectors/\{connector-name\}/config}}. This creates an easily accessible > way for an attacker who has infiltrated your network to gain access to > potential secrets that should not be available. > I have started on a code change that addresses this issue by parsing the > config values through the ConfigDef for the connector and returning their > output instead (which leads to the masking of Password typed configs as > [hidden]). -- This message was sent by Atlassian JIRA (v6.3.15#6346)