Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-2328

Error messages display HTTP Auth credentials

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: High
    • Resolution: Reopened
    • Affects Version/s: 1.8.1, 1.17.0
    • Fix Version/s: None
    • Component/s: PMM Client

      Description

      The error messages emitted by pmm-admin should not be disclosing HTTP Auth credentials.
      An example is visible in PMM-1483, but I found it when getting a non-204 response adding mysql:queries:

      Error adding MySQL queries: PUT https://xxx:yyy@xxx/qan-api/instances/a62aea0bbf0c49386991198c3a54b111: API returned HTTP status code 409, expected 204
      

      Aside from it being generally undesirable, why is this particularly important? This output may be generated via automated/manual tasks and stored in logs, leaving evidence on disk. Even worse than this, the information could be sent onward to a remote destination (rsyslog, Filebeat, etc) and the credentials would be stored along with the address somewhere in the ether. That may be rather difficult to remedy, perhaps impossible under certain conditions.

        Smart Checklist

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  ceri.williams Ceri Williams
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: