Bug 961072 - Logging of the site production log needs to filter out wapps/streamline/userInfo.html
Logging of the site production log needs to filter out wapps/streamline/userI...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Website (Show other bugs)
2.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Justin Harris
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-08 14:03 EDT by Wesley Hearn
Modified: 2015-05-14 21:25 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-11 00:02:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wesley Hearn 2013-05-08 14:03:13 EDT
Description of problem:
We log the response of wapps/streamline/userInfo.html and it include our streamline secret key along with private personal information.

Version-Release number of selected component (if applicable):
Latest

How reproducible:
always

Steps to Reproduce:
1. 
2.
3.
  
Actual results:
2013-05-08 13:43:07.501 [DEBUG] Streamline call (451.7ms) user_info! /wapps/streamline/userInfo.html [ args: {"login"=>"<snip>@<snip>.com ", "secretKey"=>"<stream line key>"}, code: 200, response: { <personal info>} ] (pid:1302)

Expected results:
2013-05-08 13:43:07.501 [DEBUG] Streamline call (451.7ms) user_info! /wapps/streamline/userInfo.html, code 200
Or something to that effect

Additional info:
Comment 1 Clayton Coleman 2013-05-15 14:29:23 EDT
secretKey needs to be added to the filter parameters list for Rails and the hooks.
Comment 2 Clayton Coleman 2013-05-20 17:08:44 EDT
User info is fairly necessary in order to debug problems.  We log username in other places, not sure that we need to exclude it here.
Comment 3 Wesley Hearn 2013-05-20 21:01:48 EDT
That is fine, but that line also includes the user address, phone number, etc.
Comment 4 Justin Harris 2013-05-21 10:01:19 EDT
Current fix involves removing the response altogether if certain keys such as e.g. phoneNumber are present.
Comment 5 openshift-github-bot 2013-05-22 14:19:10 EDT
Commit pushed to master at https://github.com/openshift/li

https://github.com/openshift/li/commit/56a56bcc9667c37ea03b9d79d7c15f6f3110d9ec
Bug 961072

 * Add secretKey to filter parameters.
 * Filter the logged response if it contains certain sensitive
   information.
Comment 6 openshift-github-bot 2013-05-22 14:19:11 EDT
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/53862cd502ed97019ed5f4807f3cd328672b231c
Bug 961072

Update filtered parameters.
Comment 7 Yujie Zhang 2013-05-23 07:47:08 EDT
Tested on devenv_3262, secretKey is added, and filtered parameters correctly, current log is as following:

2013-05-23 07:44:26.180 [DEBUG] Streamline call (744.2ms) user_info! /wapps/streamline/userInfo.html [ args: {"login"=>"wsun+3@redhat.com", "secretKey"=>"[FILTERED]"}, code: 200, response: [FILTERED] ] (pid:17874)

So verify this bug, thanks.

Note You need to log in before you can comment on or make changes to this bug.