Bug #7354
do not log keystore/truststore passwords when dumping arguments during spawning
Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
Due date:
% Done:
0%
billable:
No
vendor_id:
GCD
case_num:
History
#2 Updated by Greg Shah 12 months ago
In #6879, it was noted that our log output should not contain passwords for keystores/truststores:
Spawn info: The argument number 19 is: net:http_client:disable_ssl_certificate_validation=true. Spawn info: The argument number 20 is: ssl-socket:truststore:location=/some/path/to/application/deploy/server/trusted-certs.store. Spawn info: The argument number 21 is: ssl-socket:truststore:password=cc4eb4eb0346b5d9. Spawn info: The argument number 22 is: security:provider:name=conscrypt.
#3 Updated by Tijs Wickardt 12 months ago
Further info: it was also detected at the client log. Search for 'password' in the client log output below.
feb 09, 2023 4:11:19 PM com.goldencode.p2j.ui.client.gui.theme.ThemeManager setTheme
INFO: UI Theme successfully changed to 'someproduct/windows10'
feb 09, 2023 4:11:21 PM com.goldencode.p2j.ui.WidgetDescriptorHelper loadFromDirectory
INFO: Loaded widget descriptor class 'nl.somecompany.someproduct.grid.DxGridWidgetDescriptor'.
feb 09, 2023 4:11:21 PM com.goldencode.p2j.ui.WidgetDescriptorHelper loadFromDirectory
INFO: Loaded widget descriptor class 'nl.somecompany.someproduct.ui.PlanBoardDescriptor'.
feb 09, 2023 4:11:21 PM com.goldencode.p2j.main.ClientCore outputDiagnostics
INFO: ClientDriver: 41 arguments =
[
'server:spawner:uuid=50df003e-fd04-4851-9f6f-fb978f839de4',
'net:server:host=localhost',
'net:socket:nio=true',
'net:ssl:trackSeqNo=false',
'net:connection:secure=true',
'net:server:secure_port=3333',
'client:driver:type=gui_web',
'client:gui:desktopHeight=768',
'client:gui:desktopWidth=1024',
'client:gui:taskbar=true',
'client:gui:graphicsCached=false',
'client:gui:disablePixelManipulation=false',
'client:gui:renderer=2d',
'client:gui:taskBarStyle=fixed',
'client:web:socketTimeout=90000',
'client:web:watchdogTimeout=-1',
'client:web:maxBinaryMessage=32768',
'client:web:maxTextMessage=4096',
'client:web:maxIdleTime=90000',
'client:web:delayBetweenTriesToConnect=5000',
'client:web:tryToConnectMessage=\"The websocket connection to the application has been lost. Attempting to restore the connection.\"',
'client:web:serverUnavailableMessage=\"The application server is no longer available. Please contact support.\"',
'client:web:connectionRestoredMessage=\"The server connection has been restored.\"',
'client:web:pingPongInterval=30000',
'client:web:maxLostPings=6',
'client:web:delayBetweenPingTries=1000',
'client:web:enableDebugLogging=false',
'client:web:maxOutputBufferSize=1048576',
'client:web:maxOutputAggregationSize=8192',
'client:web:maxHttpIdleTimeout=0',
'client:web:maxResponseHeaderSize=8192',
'client:web:maxRequestHeaderSize=8192',
'client:text-metrics:cache-size=10000',
'client:web:embedded=false',
'client:web:port=0',
'client:web:host=localhost',
'web:referrer:url=https://localhost:41000/gui',
'client:cmd-line-option:debugalert=true',
'net:http_client:disable_ssl_certificate_validation=true',
'ssl-socket:truststore:location=/v1/someproduct/server/security/trusted-certs.store',
'ssl-socket:truststore:password=45174a40427cf43c'
]
Product Version FWD version undefined
JVM Version 1.8.0_345
JVM Memory: free = 170676768; total = 255852544; max = 255852544;
JVM Available CPUs: 8
JVM Properties =
{
java.runtime.name = 'OpenJDK Runtime Environment',
sun.boot.library.path = '/v1/java/jre/lib/amd64',
java.vm.version = '25.345-b01',
java.vm.vendor = 'Temurin',
java.vendor.url = 'https://adoptium.net/',
path.separator = ':',
java.vm.name = 'OpenJDK 64-Bit Server VM',
file.encoding.pkg = 'sun.io',
user.country = 'NL',
sun.java.launcher = 'SUN_STANDARD',
sun.os.patch.level = 'unknown',
java.vm.specification.name = 'Java Virtual Machine Specification',
user.dir = '/v1/someproduct/server/work/default',
java.runtime.version = '1.8.0_345-b01',
java.awt.graphicsenv = 'sun.awt.X11GraphicsEnvironment',
java.endorsed.dirs = '/v1/java/jre/lib/endorsed',
os.arch = 'amd64',
java.io.tmpdir = '/v1/someproduct/server/temp/default',
line.separator = '
',
java.vm.specification.vendor = 'Oracle Corporation',
os.name = 'Linux',
sun.jnu.encoding = 'UTF-8',
jetty.git.hash = 'b1e6b55512e008f7fbdf1cbea4ff8a6446d1073b',
java.library.path = '/v1/someproduct/server/lib/',
java.specification.name = 'Java Platform API Specification',
vm.process = 'user',
java.class.version = '52.0',
sun.management.compiler = 'HotSpot 64-Bit Tiered Compilers',
os.version = '5.15.79.1-microsoft-standard-WSL2',
user.home = '/home/fwd',
user.timezone = 'Europe/Amsterdam',
java.awt.printerjob = 'sun.print.PSPrinterJob',
file.encoding = 'UTF-8',
java.specification.version = '1.8',
user.name = 'fwd',
java.class.path = '/v1/someproduct/server/lib/p2j.jar:/v1/someproduct/server/lib/someproduct.jar:/v1/someproduct/server/lib/someproduct.ext.jar',
java.vm.specification.version = '1.8',
sun.arch.data.model = '64',
java.home = '/v1/java/jre',
sun.java.command = 'com.goldencode.p2j.main.ClientDriver server:spawner:uuid=50df003e-fd04-4851-9f6f-fb978f839de4 net:server:host=localhost net:socket:nio=true net:ssl:trackSeqNo=false net:connection:secure=true net:server:secure_port=3333 client:driver:type=gui_web client:gui:desktopHeight=768 client:gui:desktopWidth=1024 client:gui:taskbar=true client:gui:graphicsCached=false client:gui:disablePixelManipulation=false client:gui:renderer=2d client:gui:taskBarStyle=fixed client:web:socketTimeout=90000 client:web:watchdogTimeout=-1 client:web:maxBinaryMessage=32768 client:web:maxTextMessage=4096 client:web:maxIdleTime=90000 client:web:delayBetweenTriesToConnect=5000 client:web:tryToConnectMessage=\"The websocket connection to the application has been lost. Attempting to restore the connection.\" client:web:serverUnavailableMessage=\"The application server is no longer available. Please contact support.\" client:web:connectionRestoredMessage=\"The server connection has been restored.\" client:web:pingPongInterval=30000 client:web:maxLostPings=6 client:web:delayBetweenPingTries=1000 client:web:enableDebugLogging=false client:web:maxOutputBufferSize=1048576 client:web:maxOutputAggregationSize=8192 client:web:maxHttpIdleTimeout=0 client:web:maxResponseHeaderSize=8192 client:web:maxRequestHeaderSize=8192 client:text-metrics:cache-size=10000 client:web:embedded=false client:web:port=0 client:web:host=localhost web:referrer:url=https://localhost:41000/gui client:cmd-line-option:debugalert=true net:http_client:disable_ssl_certificate_validation=true ssl-socket:truststore:location=/v1/someproduct/server/security/trusted-certs.store ssl-socket:truststore:password=45174a40427cf43c',
java.specification.vendor = 'Oracle Corporation',
user.language = 'nl',
awt.toolkit = 'sun.awt.X11.XToolkit',
java.vm.info = 'mixed mode',
java.version = '1.8.0_345',
java.ext.dirs = '/v1/java/jre/lib/ext:/usr/java/packages/lib/ext',
sun.boot.class.path = '/v1/java/jre/lib/resources.jar:/v1/java/jre/lib/rt.jar:/v1/java/jre/lib/sunrsasign.jar:/v1/java/jre/lib/jsse.jar:/v1/java/jre/lib/jce.jar:/v1/java/jre/lib/charsets.jar:/v1/java/jre/lib/jfr.jar:/v1/java/jre/classes',
java.vendor = 'Temurin',
java.awt.headless = 'true',
file.separator = '/',
java.vendor.url.bug = 'https://github.com/adoptium/adoptium-support/issues',
sun.cpu.endian = 'little',
sun.io.unicode.encoding = 'UnicodeLittle',
sun.font.fontmanager = 'sun.awt.X11FontManager',
sun.cpu.isalist = ''
}
JVM Environment =
{
PATH = '/v1/java/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin',
CLIENT_IP = '172.18.0.1',
SHELL = '/bin/bash',
TZ = '',
P2J_SUBJECT = '614938546D6334303254306C32323269',
SSH_CLIENT = '172.18.0.3 42054 22',
SSH_TTY = '/dev/pts/1',
MOTD_SHOWN = 'pam',
TERM = 'xterm',
OLDPWD = '/home/fwd',
P2J_PASSWORD = '583F372132483636343C313434416074',
USER = 'fwd',
P2J_HOME = '/v1/someproduct/server/lib/',
DISPLAY = 'localhost:11.0',
SSH_CONNECTION = '172.18.0.3 42054 172.18.0.4 22',
LOGIN = 'fwd',
LOGNAME = 'fwd',
LC_CTYPE = 'C.UTF-8',
PWD = '/v1/someproduct/server/bin',
HOME = '/home/fwd',
SHLVL = '1',
_ = '/v1/java/bin/java'
}
feb 09, 2023 4:11:21 PM com.goldencode.p2j.main.ClientCore outputDiagnostics
INFO: BootstrapConfig sharedFile = none; privateFile = none; isServer = false; configuraton values =
{
NET:QUEUE:CONVERSATION = true
NET:QUEUE:START_THREAD = false
NET:SERVER:HOST = localhost
NET:SERVER:SECURE_PORT = 3333
NET:SOCKET:NIO = true
NET:SSL:TRACKSEQNO = false
NET:CONNECTION:SECURE = true
NET:HTTP_CLIENT:DISABLE_SSL_CERTIFICATE_VALIDATION = true
SERVER:SPAWNER:UUID = 50df003e-fd04-4851-9f6f-fb978f839de4
CLIENT:DRIVER:TYPE = gui_web
CLIENT:GUI:DESKTOPHEIGHT = 768
CLIENT:GUI:DESKTOPWIDTH = 1024
CLIENT:GUI:TASKBAR = true
CLIENT:GUI:GRAPHICSCACHED = false
CLIENT:GUI:DISABLEPIXELMANIPULATION = false
CLIENT:GUI:RENDERER = 2d
CLIENT:GUI:TASKBARSTYLE = fixed
CLIENT:WEB:SOCKETTIMEOUT = 90000
CLIENT:WEB:WATCHDOGTIMEOUT = -1
CLIENT:WEB:MAXBINARYMESSAGE = 32768
CLIENT:WEB:MAXTEXTMESSAGE = 4096
CLIENT:WEB:MAXIDLETIME = 90000
CLIENT:WEB:DELAYBETWEENTRIESTOCONNECT = 5000
CLIENT:WEB:TRYTOCONNECTMESSAGE = \"The websocket connection to the application has been lost. Attempting to restore the connection.\"
CLIENT:WEB:SERVERUNAVAILABLEMESSAGE = \"The application server is no longer available. Please contact support.\"
CLIENT:WEB:CONNECTIONRESTOREDMESSAGE = \"The server connection has been restored.\"
CLIENT:WEB:PINGPONGINTERVAL = 30000
CLIENT:WEB:MAXLOSTPINGS = 6
CLIENT:WEB:DELAYBETWEENPINGTRIES = 1000
CLIENT:WEB:ENABLEDEBUGLOGGING = false
CLIENT:WEB:MAXOUTPUTBUFFERSIZE = 1048576
CLIENT:WEB:MAXOUTPUTAGGREGATIONSIZE = 8192
CLIENT:WEB:MAXHTTPIDLETIMEOUT = 0
CLIENT:WEB:MAXRESPONSEHEADERSIZE = 8192
CLIENT:WEB:MAXREQUESTHEADERSIZE = 8192
CLIENT:WEB:EMBEDDED = false
CLIENT:WEB:PORT = 41003
CLIENT:WEB:HOST = localhost
CLIENT:WEB:LANG = ?
CLIENT:TEXT-METRICS:CACHE-SIZE = 10000
CLIENT:CMD-LINE-OPTION:DEBUGALERT = true
WEB:REFERRER:URL = https://localhost:41000/gui
SSL-SOCKET:TRUSTSTORE:LOCATION = /v1/someproduct/server/security/trusted-certs.store
SSL-SOCKET:TRUSTSTORE:PASSWORD = 45174a40427cf43c
SECURITY:TRUSTSTORE:ALIAS = standard
SECURITY:TRUSTSTORE:BYTES = /u3+7QAAAAIAAAABAAAAAQAIc3RhbmRhcmQAAAGGNrsSjgAABQEwggT9MA4GCisGAQQBKgIRAQEFAASCBOmx1fcHErlNdUr7SW9EQ+atpq6AjP1craUCZBVYRuMRza/2yM7INsbvqNLbReNsks/VWUZ71g2oMcDmuSxc4zrsYrDjzgFseCe4SSOnkIJTJlN8DHEeQ+r8MHOOsZP8/hdyn9lBkytXLXLa1AjPoICiSLtU1s1wez+v+zHdA9ol2QvYwNqbNLzC0QKWvXOo/GvRhZcUs+gFFYM5BhnMUVopknLTDbBqa6KrWItO+L4B2fuo/PBtIh8zcTXfKVdClVP1Un48SV0k8NDoCTa0ZVSsGtk4couPkIb0VIE9yjg/SLdB1K5hhVntdX5XUMX3pg99tsQb/olWWN2Ynty3bijcuX0BSco7uP6s2qFB2o3VK/wVCmvIjU9ZAeBaYZEKk56AotazHLXbyyTWajnl6G+m4VWZlyPpLKCaEUsb3KJXAS5RUToJL9bvq5LzdM6w9DjXBeM/5bCrhmiwVYYtZWSbAcI4BJORKJ7kkfVjm43F6V9+qx+Px2wHHG1kuVbwsQWgOXdIyNZvCgBFMshJkLVR/motFUmWD7nech/RC2BY7hmVl3t6QrTECuJs994kKOh3n/eC8gOiAuPc59+3TTYVSVk2tOxRePeZCihXNG3SyUEf9u9c0WvXgpTl9+YOjXIK971lw3jR9K9cZUroYp93InQO55M6UvzSFBLK8/QIdtykc8MAk8qWPuqV8Ki/yB/l3zSXp2J+UD1o7v06aF67KkWO3zUhDhXt4aB+S1gnoEORC52L5VQduTY4nZuT9PqIavMkGVJdb9vh/2lSErRTphqz7aRArtNKwxjHGNkJEUgBY7ufMB9yElu3A0Fqmp6kGidQyhkXFoeEeU/t7i52+Ob3/jTPLoaR7WNkdKveYFfN93d3MfV4/xETk0Jy4UlB49xhpSZ0du911ai3M15dvHAMPnQacB0wXSLAkCXzeTh/2I6Jwrv9TrNCrl/LhXfR76BtP6H0i0ZVH5YIz17ELAh6dG20rMMesXMBAQREgi4C3yQJBkcSf1OyHJ1SWb+s53PEBjsB2YrjWNHDh5hkGfJRQ+hV+sLjNva21Zc2qFH1mDcFw4YgGYC9xbpx6uu3yTdIzcSq4wad6nmTdqiURVqhGyJt2YzqrdMHmTqgiqRk11zLkeGCaK5p+iNUV+ppgnG6fakT5I41wSuh9QbIwYb/OhxKSifcdMcbGtTkMIFjsfZuaQurwRFxo/pMc1kYHqYaZmqBhLu8s71VpueYwUhy1egW7DOgLgiJkc0UnAICcK64S77YsgObE5+hgkswPkGmGqnwfpvObYe6g7RPy26V5pFVM5UvnYqUopTrmG0tLINZUITePvkGDrdFUUbyqL1FvFikTZsW0U3699NkssoXh6uelGHSNHpLHsq9gXe265hK/HOovLzvhjCGbaZWYTysU8BqWgmT2m6ukzJIDL3r8qj8iH6JYkMSmNNwLDz5zHSMguh7gJGCzrHouR5Ujt+KEZo0pnxTNRTZAnqqAB4hoHuWHdeiQCkSW/dttSa+BtqfsOTGsFNkspZp9AwnMBpxaoZmeeiCzEJw/vvCcnvlfH9yTo2bLxvgwpDAwE76cwcb1Vhz7gh/9d46a6zb+Ann2L6iNB8uD6LseXYeT+AxguZ0qGQjpOEomywB8BKIV1IqYfIriGWIuS3WD6cpa+z6XnB7deoAAAABAAVYLjUwOQAABHowggR2MIIDXqADAgECAgwafbGmkIBsJkM3vqUwDQYJKoZIhvcNAQELBQAwgYUxEDAOBgNVBAgMB3Vua25vd24xEDAOBgNVBAYTB3Vua25vd24xEDAOBgNVBAsMB3Vua25vd24xEDAOBgNVBAcMB3Vua25vd24xEDAOBgNVBAoMB3Vua25vd24xKTAnBgNVBAMMIG1ldGFjb20tcm9vdCAtIHJvb3QgQ0EgYXV0aG9yaXR5MB4XDTIzMDIwNzE1MTE0N1oXDTMzMDIwNzE1MTE0N1owbjEQMA4GA1UECAwHdW5rbm93bjEQMA4GA1UEBhMHdW5rbm93bjEQMA4GA1UECwwHdW5rbm93bjEQMA4GA1UEBwwHdW5rbm93bjEQMA4GA1UECgwHdW5rbm93bjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtDE/XBqFTFLwhaQbEpV49XuOWgappZ7Fv+MQhuWFDHpMWsHDbXFi7n42Bpm7X9L1fa1G06tHeJJiBOgQ7o4/W2Tm/mF0uboQAj3qEHsCT4dCR0Wq+ViOuyDw2GOs2dEejMzNovT2lgi/Zz9Q1ePS8efPjLE3tFrzLheOU92b/OS2fKF00fk+CzPGbKHaAH0CLgh0ME11jbs6TakgwaiuQw3gMtfmougmkyOzMP5IRUNbCLv0FougbPl8gxyQSS4qCCVgZQOKaqzB+riUAIHLYS2fA5QSljsBuzxMMcE+KbyKBOjzaviCpYJVMixUaqdHr3grHvqYIuA8G2r6QG4TOQIDAQABo4H7MIH4MIGyBgNVHSMEgaowgaeAFLIp2ahooTgDetrU7tJPxfKnHHBboYGLpIGIMIGFMRAwDgYDVQQIDAd1bmtub3duMRAwDgYDVQQGEwd1bmtub3duMRAwDgYDVQQLDAd1bmtub3duMRAwDgYDVQQHDAd1bmtub3duMRAwDgYDVQQKDAd1bmtub3duMSkwJwYDVQQDDCBtZXRhY29tLXJvb3QgLSByb290IENBIGF1dGhvcml0eYIBADAdBgNVHQ4EFgQUa0FGq+ITa1s7866eZAa6y1xRVNowDAYDVR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAHxaF7y/2XJ+Ub/uf9eweWnv0EjeUjca77ep88VwXmrZZCc2NorjgLnLBVE01gIA/xQq3ukcAhv3qRsyS8DLhZ3jQJZz0qH54E8/217qSr5lnMEas/INvML3Zoa19qm1AsUzYzUYe0RN3/r8UWxd9sCBYy/69G3ACHU2aaNYEzRIzKgAQfmaX50j+2u7eLlaO6dh4eaEcOEz4IHXpq4AWeKcVwhHYpkcdTpj2TwQ/+U7pNOz1bL943Joc1mJpjp9mu6sHaE0HmukHFTexunQjkAV23OJkCiEfaU+QJgQbDC5orSH2BmcyS7DWUy/coqnc/QiWZaL3UreiReH3IyfF57l1DZFPGZDPGOfH0Pu5OAZNX3R8w==
SECURITY:CERTIFICATE:VALIDATE = true
SECURITY:TRUST_MGR:DISABLE = false
SECURITY:TRANSPORT:REFRESH = true
ACCESS:PASSWORD:TRUSTSTORE = i1B7Ms5pklLStr8q5VLN0&mF+1rbM7>A@YfI
}
descriptor: BitmapRGB[ICOEntry: width: 32, height: 32, colors: 0, planes: 1, bit count: 32, size: 4264, offset: 1182, BitmapInfoHeader: size: 40 bytes, width: 32, height: 64, planes: 1, bit count: 32, compression: 0, image size: 4096, X pixels per m: 2835, Y pixels per m: 2835, colors used: 1 (unknown), colors important: 1 (all)]
descriptor: BitmapRGB[ICOEntry: width: 32, height: 32, colors: 0, planes: 1, bit count: 32, size: 4264, offset: 1182, BitmapInfoHeader: size: 40 bytes, width: 32, height: 64, planes: 1, bit count: 32, compression: 0, image size: 4096, X pixels per m: 2835, Y pixels per m: 2835, colors used: 1 (unknown), colors important: 1 (all)]
descriptor: BitmapRGB[ICOEntry: width: 32, height: 32, colors: 0, planes: 1, bit count: 32, size: 4264, offset: 1182, BitmapInfoHeader: size: 40 bytes, width: 32, height: 64, planes: 1, bit count: 32, compression: 0, image size: 4096, X pixels per m: 2835, Y pixels per m: 2835, colors used: 1 (unknown), colors important: 1 (all)]
feb 09, 2023 4:12:11 PM com.goldencode.p2j.ui.client.event.EventManager postEvent
WARNING: Wasted event: PaintEvent{TAB (9), source=Frame rect-overlay##nl.somecompany.someproduct.ui.src.someproductopenedge.src.sys.UserLogRectOverlay$UserLogRectOverlayDef 4 Dimension[100.0,6.91] Point[0.0,6.67] visible true can false; , delayed, updateRect=Rectangle[top=8.15, left=0.2, bottom=15.01, right=100.0]}
feb 09, 2023 4:12:21 PM com.goldencode.p2j.ui.client.event.EventManager postEvent
WARNING: Wasted event: ActionEvent{CTRL-E (5), source=ButtonGuiImpl{20, "Inloggen"}, command=GO}
#4 Updated by Tijs Wickardt 12 months ago
Greg, as can be seen in #7354-3, the title of this task is a bit too narrow. Also sun.java.command needs some secret masking.
That's why I proposed a more generic solution with a custom secret regex mask in the generic FWD logger.
But of course we could design other solutions, it was just an idea.