Описание
Steeltoe Leaks Basic Auth Credentials to Logs After Fetch Registry Error
Summary
When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked.
Details
Package: Steeltoe.Discovery.Eureka
Package version: 3.2.1
Branch: "release/3.2"
File name: DiscoveryClient.cs
Line number: 325
Code in question: _logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());
Error message in logs: FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:password@eureka2.com:443/eureka
I thought new Uri(clientOptions.EurekaServerServiceUrls) would throw a UriFormatException since there are multiple URLs but my logs are showing two URLs regardless.
PoC
- Set Eureka config with multiple server URLs with basic auth
- Apologies for not being more descriptive for this step, but I believe we would just need to trigger an exception in
FetchFullRegistryAsync. - Check the logs and should see the error
Impact
Vulnerability: Credential leakage in the logs Who does it impact?: Users who are using peer awareness with Spring Eureka
Пакеты
Steeltoe.Discovery.Eureka
<= 3.2.7
3.2.8
Steeltoe.Discovery.EurekaBase
<= 2.5.5
Отсутствует
Steeltoe.Discovery.ClientCore
Отсутствует
Steeltoe.Discovery.ClientAutofac
<= 2.5.5
Отсутствует
Связанные уязвимости
Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. The code in question is `_logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` in the `DiscoveryClient.cs` file which may leak credentials into logs. This issue has been addressed in version 3.2.8 of the Steeltoe.Discovery.Eureka nuget package.