Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-2328

Error messages display HTTP Auth credentials

    XMLWordPrintable

Details

    Description

      The error messages emitted by pmm-admin should not be disclosing HTTP Auth credentials.
      An example is visible in PMM-1483, but I found it when getting a non-204 response adding mysql:queries:

      Error adding MySQL queries: PUT https://xxx:[email protected]/qan-api/instances/a62aea0bbf0c49386991198c3a54b111: API returned HTTP status code 409, expected 204

      Aside from it being generally undesirable, why is this particularly important? This output may be generated via automated/manual tasks and stored in logs, leaving evidence on disk. Even worse than this, the information could be sent onward to a remote destination (rsyslog, Filebeat, etc) and the credentials would be stored along with the address somewhere in the ether. That may be rather difficult to remedy, perhaps impossible under certain conditions.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PMM-1483 Error removing one of the services: request canceled (Client.Timeout exceeded while awaiting headers)

          • Low - Cosmetic problem like misspelled words or misaligned text.
          • Done

          Activity

            People

              Unassigned Unassigned
              ceri.williams Ceri Williams
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Smart Checklist