vergilyn opened a new issue, #15678: URL: https://github.com/apache/dubbo/issues/15678
### Pre-check - [x] I am sure that all the content I provide is in English. ### Search before asking - [x] I had searched in the [issues](https://github.com/apache/dubbo/issues?q=is%3Aissue) and found no similar issues. ### Apache Dubbo Component Java SDK (apache/dubbo) ### Dubbo Version dubbo::3.2.x & 3.3.x nacos:2.x case01: ```properties dubbo.registry.address=nacos://${mseNacosAddress}:8848?accessKey=${accessKey}&secretKey=${secretKey} ``` case02: ``` dubbo.registry.address=nacos://${mseNacosAddress}:8848 dubbo.registry.parameters.accessKey=${accessKey} dubbo.registry.parameters.secretKey=${secretKey} ``` ### Steps to reproduce this issue https://github.com/apache/dubbo/blob/d6f055aec47cd86df378790005df54610b66f777/dubbo-cluster/src/main/java/org/apache/dubbo/rpc/cluster/directory/AbstractDirectory.java#L201-L206 1. Modify `destroyed=true` through debug (or Arthas). 2. RpcException message contain sensitive properties, e.g. ``` org.apache.dubbo.rpc.RpcException: Directory of type ServiceDiscoveryRegistryDirectory already destroyed for service com.xxx.dubbo.DemoDubboService:1.0 from registry nacos://mes-nacos-address:8848/org.apache.dubbo.registry.RegistryService?...&accessKey=...&secretKey=... ``` ### What you expected to happen RpcException message should not contain sensitive properties. ### Anything else If Apache Nacos uses username&password AUTH, dubbo will remove sensitive properties。 https://github.com/apache/dubbo/blob/d6f055aec47cd86df378790005df54610b66f777/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L108-L115 备注:如果使用 case02 的方式配置,dubbo会特殊处理将 username&password 从 url 的 parameters中移除。因此,RpcExceptiony异常信息中不会包含敏感信息。但是,dubbo并未特殊处理 MSE Nacos 的 accessKey&secretKey。 ### Are you willing to submit a pull request to fix on your own? - [ ] Yes I am willing to submit a pull request on my own! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@dubbo.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@dubbo.apache.org For additional commands, e-mail: notifications-h...@dubbo.apache.org
