Bug #7354
do not log keystore/truststore passwords when dumping arguments during spawning
Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
Due date:
% Done:
0%
billable:
No
vendor_id:
GCD
case_num:
History
#2 Updated by Greg Shah 12 months ago
In #6879, it was noted that our log output should not contain passwords for keystores/truststores:
Spawn info: The argument number 19 is: net:http_client:disable_ssl_certificate_validation=true. Spawn info: The argument number 20 is: ssl-socket:truststore:location=/some/path/to/application/deploy/server/trusted-certs.store. Spawn info: The argument number 21 is: ssl-socket:truststore:password=cc4eb4eb0346b5d9. Spawn info: The argument number 22 is: security:provider:name=conscrypt.
#3 Updated by Tijs Wickardt 12 months ago
Further info: it was also detected at the client log. Search for 'password' in the client log output below.
feb 09, 2023 4:11:19 PM com.goldencode.p2j.ui.client.gui.theme.ThemeManager setTheme INFO: UI Theme successfully changed to 'someproduct/windows10' feb 09, 2023 4:11:21 PM com.goldencode.p2j.ui.WidgetDescriptorHelper loadFromDirectory INFO: Loaded widget descriptor class 'nl.somecompany.someproduct.grid.DxGridWidgetDescriptor'. feb 09, 2023 4:11:21 PM com.goldencode.p2j.ui.WidgetDescriptorHelper loadFromDirectory INFO: Loaded widget descriptor class 'nl.somecompany.someproduct.ui.PlanBoardDescriptor'. feb 09, 2023 4:11:21 PM com.goldencode.p2j.main.ClientCore outputDiagnostics INFO: ClientDriver: 41 arguments = [ 'server:spawner:uuid=50df003e-fd04-4851-9f6f-fb978f839de4', 'net:server:host=localhost', 'net:socket:nio=true', 'net:ssl:trackSeqNo=false', 'net:connection:secure=true', 'net:server:secure_port=3333', 'client:driver:type=gui_web', 'client:gui:desktopHeight=768', 'client:gui:desktopWidth=1024', 'client:gui:taskbar=true', 'client:gui:graphicsCached=false', 'client:gui:disablePixelManipulation=false', 'client:gui:renderer=2d', 'client:gui:taskBarStyle=fixed', 'client:web:socketTimeout=90000', 'client:web:watchdogTimeout=-1', 'client:web:maxBinaryMessage=32768', 'client:web:maxTextMessage=4096', 'client:web:maxIdleTime=90000', 'client:web:delayBetweenTriesToConnect=5000', 'client:web:tryToConnectMessage=\"The websocket connection to the application has been lost. Attempting to restore the connection.\"', 'client:web:serverUnavailableMessage=\"The application server is no longer available. Please contact support.\"', 'client:web:connectionRestoredMessage=\"The server connection has been restored.\"', 'client:web:pingPongInterval=30000', 'client:web:maxLostPings=6', 'client:web:delayBetweenPingTries=1000', 'client:web:enableDebugLogging=false', 'client:web:maxOutputBufferSize=1048576', 'client:web:maxOutputAggregationSize=8192', 'client:web:maxHttpIdleTimeout=0', 'client:web:maxResponseHeaderSize=8192', 'client:web:maxRequestHeaderSize=8192', 'client:text-metrics:cache-size=10000', 'client:web:embedded=false', 'client:web:port=0', 'client:web:host=localhost', 'web:referrer:url=https://localhost:41000/gui', 'client:cmd-line-option:debugalert=true', 'net:http_client:disable_ssl_certificate_validation=true', 'ssl-socket:truststore:location=/v1/someproduct/server/security/trusted-certs.store', 'ssl-socket:truststore:password=45174a40427cf43c' ] Product Version FWD version undefined JVM Version 1.8.0_345 JVM Memory: free = 170676768; total = 255852544; max = 255852544; JVM Available CPUs: 8 JVM Properties = { java.runtime.name = 'OpenJDK Runtime Environment', sun.boot.library.path = '/v1/java/jre/lib/amd64', java.vm.version = '25.345-b01', java.vm.vendor = 'Temurin', java.vendor.url = 'https://adoptium.net/', path.separator = ':', java.vm.name = 'OpenJDK 64-Bit Server VM', file.encoding.pkg = 'sun.io', user.country = 'NL', sun.java.launcher = 'SUN_STANDARD', sun.os.patch.level = 'unknown', java.vm.specification.name = 'Java Virtual Machine Specification', user.dir = '/v1/someproduct/server/work/default', java.runtime.version = '1.8.0_345-b01', java.awt.graphicsenv = 'sun.awt.X11GraphicsEnvironment', java.endorsed.dirs = '/v1/java/jre/lib/endorsed', os.arch = 'amd64', java.io.tmpdir = '/v1/someproduct/server/temp/default', line.separator = ' ', java.vm.specification.vendor = 'Oracle Corporation', os.name = 'Linux', sun.jnu.encoding = 'UTF-8', jetty.git.hash = 'b1e6b55512e008f7fbdf1cbea4ff8a6446d1073b', java.library.path = '/v1/someproduct/server/lib/', java.specification.name = 'Java Platform API Specification', vm.process = 'user', java.class.version = '52.0', sun.management.compiler = 'HotSpot 64-Bit Tiered Compilers', os.version = '5.15.79.1-microsoft-standard-WSL2', user.home = '/home/fwd', user.timezone = 'Europe/Amsterdam', java.awt.printerjob = 'sun.print.PSPrinterJob', file.encoding = 'UTF-8', java.specification.version = '1.8', user.name = 'fwd', java.class.path = '/v1/someproduct/server/lib/p2j.jar:/v1/someproduct/server/lib/someproduct.jar:/v1/someproduct/server/lib/someproduct.ext.jar', java.vm.specification.version = '1.8', sun.arch.data.model = '64', java.home = '/v1/java/jre', sun.java.command = 'com.goldencode.p2j.main.ClientDriver server:spawner:uuid=50df003e-fd04-4851-9f6f-fb978f839de4 net:server:host=localhost net:socket:nio=true net:ssl:trackSeqNo=false net:connection:secure=true net:server:secure_port=3333 client:driver:type=gui_web client:gui:desktopHeight=768 client:gui:desktopWidth=1024 client:gui:taskbar=true client:gui:graphicsCached=false client:gui:disablePixelManipulation=false client:gui:renderer=2d client:gui:taskBarStyle=fixed client:web:socketTimeout=90000 client:web:watchdogTimeout=-1 client:web:maxBinaryMessage=32768 client:web:maxTextMessage=4096 client:web:maxIdleTime=90000 client:web:delayBetweenTriesToConnect=5000 client:web:tryToConnectMessage=\"The websocket connection to the application has been lost. Attempting to restore the connection.\" client:web:serverUnavailableMessage=\"The application server is no longer available. Please contact support.\" client:web:connectionRestoredMessage=\"The server connection has been restored.\" client:web:pingPongInterval=30000 client:web:maxLostPings=6 client:web:delayBetweenPingTries=1000 client:web:enableDebugLogging=false client:web:maxOutputBufferSize=1048576 client:web:maxOutputAggregationSize=8192 client:web:maxHttpIdleTimeout=0 client:web:maxResponseHeaderSize=8192 client:web:maxRequestHeaderSize=8192 client:text-metrics:cache-size=10000 client:web:embedded=false client:web:port=0 client:web:host=localhost web:referrer:url=https://localhost:41000/gui client:cmd-line-option:debugalert=true net:http_client:disable_ssl_certificate_validation=true ssl-socket:truststore:location=/v1/someproduct/server/security/trusted-certs.store ssl-socket:truststore:password=45174a40427cf43c', java.specification.vendor = 'Oracle Corporation', user.language = 'nl', awt.toolkit = 'sun.awt.X11.XToolkit', java.vm.info = 'mixed mode', java.version = '1.8.0_345', java.ext.dirs = '/v1/java/jre/lib/ext:/usr/java/packages/lib/ext', sun.boot.class.path = '/v1/java/jre/lib/resources.jar:/v1/java/jre/lib/rt.jar:/v1/java/jre/lib/sunrsasign.jar:/v1/java/jre/lib/jsse.jar:/v1/java/jre/lib/jce.jar:/v1/java/jre/lib/charsets.jar:/v1/java/jre/lib/jfr.jar:/v1/java/jre/classes', java.vendor = 'Temurin', java.awt.headless = 'true', file.separator = '/', java.vendor.url.bug = 'https://github.com/adoptium/adoptium-support/issues', sun.cpu.endian = 'little', sun.io.unicode.encoding = 'UnicodeLittle', sun.font.fontmanager = 'sun.awt.X11FontManager', sun.cpu.isalist = '' } JVM Environment = { PATH = '/v1/java/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin', CLIENT_IP = '172.18.0.1', SHELL = '/bin/bash', TZ = '', P2J_SUBJECT = '614938546D6334303254306C32323269', SSH_CLIENT = '172.18.0.3 42054 22', SSH_TTY = '/dev/pts/1', MOTD_SHOWN = 'pam', TERM = 'xterm', OLDPWD = '/home/fwd', P2J_PASSWORD = '583F372132483636343C313434416074', USER = 'fwd', P2J_HOME = '/v1/someproduct/server/lib/', DISPLAY = 'localhost:11.0', SSH_CONNECTION = '172.18.0.3 42054 172.18.0.4 22', LOGIN = 'fwd', LOGNAME = 'fwd', LC_CTYPE = 'C.UTF-8', PWD = '/v1/someproduct/server/bin', HOME = '/home/fwd', SHLVL = '1', _ = '/v1/java/bin/java' } feb 09, 2023 4:11:21 PM com.goldencode.p2j.main.ClientCore outputDiagnostics INFO: BootstrapConfig sharedFile = none; privateFile = none; isServer = false; configuraton values = { NET:QUEUE:CONVERSATION = true NET:QUEUE:START_THREAD = false NET:SERVER:HOST = localhost NET:SERVER:SECURE_PORT = 3333 NET:SOCKET:NIO = true NET:SSL:TRACKSEQNO = false NET:CONNECTION:SECURE = true NET:HTTP_CLIENT:DISABLE_SSL_CERTIFICATE_VALIDATION = true SERVER:SPAWNER:UUID = 50df003e-fd04-4851-9f6f-fb978f839de4 CLIENT:DRIVER:TYPE = gui_web CLIENT:GUI:DESKTOPHEIGHT = 768 CLIENT:GUI:DESKTOPWIDTH = 1024 CLIENT:GUI:TASKBAR = true CLIENT:GUI:GRAPHICSCACHED = false CLIENT:GUI:DISABLEPIXELMANIPULATION = false CLIENT:GUI:RENDERER = 2d CLIENT:GUI:TASKBARSTYLE = fixed CLIENT:WEB:SOCKETTIMEOUT = 90000 CLIENT:WEB:WATCHDOGTIMEOUT = -1 CLIENT:WEB:MAXBINARYMESSAGE = 32768 CLIENT:WEB:MAXTEXTMESSAGE = 4096 CLIENT:WEB:MAXIDLETIME = 90000 CLIENT:WEB:DELAYBETWEENTRIESTOCONNECT = 5000 CLIENT:WEB:TRYTOCONNECTMESSAGE = \"The websocket connection to the application has been lost. Attempting to restore the connection.\" CLIENT:WEB:SERVERUNAVAILABLEMESSAGE = \"The application server is no longer available. Please contact support.\" CLIENT:WEB:CONNECTIONRESTOREDMESSAGE = \"The server connection has been restored.\" CLIENT:WEB:PINGPONGINTERVAL = 30000 CLIENT:WEB:MAXLOSTPINGS = 6 CLIENT:WEB:DELAYBETWEENPINGTRIES = 1000 CLIENT:WEB:ENABLEDEBUGLOGGING = false CLIENT:WEB:MAXOUTPUTBUFFERSIZE = 1048576 CLIENT:WEB:MAXOUTPUTAGGREGATIONSIZE = 8192 CLIENT:WEB:MAXHTTPIDLETIMEOUT = 0 CLIENT:WEB:MAXRESPONSEHEADERSIZE = 8192 CLIENT:WEB:MAXREQUESTHEADERSIZE = 8192 CLIENT:WEB:EMBEDDED = false CLIENT:WEB:PORT = 41003 CLIENT:WEB:HOST = localhost CLIENT:WEB:LANG = ? CLIENT:TEXT-METRICS:CACHE-SIZE = 10000 CLIENT:CMD-LINE-OPTION:DEBUGALERT = true WEB:REFERRER:URL = https://localhost:41000/gui SSL-SOCKET:TRUSTSTORE:LOCATION = /v1/someproduct/server/security/trusted-certs.store SSL-SOCKET:TRUSTSTORE:PASSWORD = 45174a40427cf43c SECURITY:TRUSTSTORE:ALIAS = standard SECURITY:TRUSTSTORE:BYTES = /u3+7QAAAAIAAAABAAAAAQAIc3RhbmRhcmQAAAGGNrsSjgAABQEwggT9MA4GCisGAQQBKgIRAQEFAASCBOmx1fcHErlNdUr7SW9EQ+atpq6AjP1craUCZBVYRuMRza/2yM7INsbvqNLbReNsks/VWUZ71g2oMcDmuSxc4zrsYrDjzgFseCe4SSOnkIJTJlN8DHEeQ+r8MHOOsZP8/hdyn9lBkytXLXLa1AjPoICiSLtU1s1wez+v+zHdA9ol2QvYwNqbNLzC0QKWvXOo/GvRhZcUs+gFFYM5BhnMUVopknLTDbBqa6KrWItO+L4B2fuo/PBtIh8zcTXfKVdClVP1Un48SV0k8NDoCTa0ZVSsGtk4couPkIb0VIE9yjg/SLdB1K5hhVntdX5XUMX3pg99tsQb/olWWN2Ynty3bijcuX0BSco7uP6s2qFB2o3VK/wVCmvIjU9ZAeBaYZEKk56AotazHLXbyyTWajnl6G+m4VWZlyPpLKCaEUsb3KJXAS5RUToJL9bvq5LzdM6w9DjXBeM/5bCrhmiwVYYtZWSbAcI4BJORKJ7kkfVjm43F6V9+qx+Px2wHHG1kuVbwsQWgOXdIyNZvCgBFMshJkLVR/motFUmWD7nech/RC2BY7hmVl3t6QrTECuJs994kKOh3n/eC8gOiAuPc59+3TTYVSVk2tOxRePeZCihXNG3SyUEf9u9c0WvXgpTl9+YOjXIK971lw3jR9K9cZUroYp93InQO55M6UvzSFBLK8/QIdtykc8MAk8qWPuqV8Ki/yB/l3zSXp2J+UD1o7v06aF67KkWO3zUhDhXt4aB+S1gnoEORC52L5VQduTY4nZuT9PqIavMkGVJdb9vh/2lSErRTphqz7aRArtNKwxjHGNkJEUgBY7ufMB9yElu3A0Fqmp6kGidQyhkXFoeEeU/t7i52+Ob3/jTPLoaR7WNkdKveYFfN93d3MfV4/xETk0Jy4UlB49xhpSZ0du911ai3M15dvHAMPnQacB0wXSLAkCXzeTh/2I6Jwrv9TrNCrl/LhXfR76BtP6H0i0ZVH5YIz17ELAh6dG20rMMesXMBAQREgi4C3yQJBkcSf1OyHJ1SWb+s53PEBjsB2YrjWNHDh5hkGfJRQ+hV+sLjNva21Zc2qFH1mDcFw4YgGYC9xbpx6uu3yTdIzcSq4wad6nmTdqiURVqhGyJt2YzqrdMHmTqgiqRk11zLkeGCaK5p+iNUV+ppgnG6fakT5I41wSuh9QbIwYb/OhxKSifcdMcbGtTkMIFjsfZuaQurwRFxo/pMc1kYHqYaZmqBhLu8s71VpueYwUhy1egW7DOgLgiJkc0UnAICcK64S77YsgObE5+hgkswPkGmGqnwfpvObYe6g7RPy26V5pFVM5UvnYqUopTrmG0tLINZUITePvkGDrdFUUbyqL1FvFikTZsW0U3699NkssoXh6uelGHSNHpLHsq9gXe265hK/HOovLzvhjCGbaZWYTysU8BqWgmT2m6ukzJIDL3r8qj8iH6JYkMSmNNwLDz5zHSMguh7gJGCzrHouR5Ujt+KEZo0pnxTNRTZAnqqAB4hoHuWHdeiQCkSW/dttSa+BtqfsOTGsFNkspZp9AwnMBpxaoZmeeiCzEJw/vvCcnvlfH9yTo2bLxvgwpDAwE76cwcb1Vhz7gh/9d46a6zb+Ann2L6iNB8uD6LseXYeT+AxguZ0qGQjpOEomywB8BKIV1IqYfIriGWIuS3WD6cpa+z6XnB7deoAAAABAAVYLjUwOQAABHowggR2MIIDXqADAgECAgwafbGmkIBsJkM3vqUwDQYJKoZIhvcNAQELBQAwgYUxEDAOBgNVBAgMB3Vua25vd24xEDAOBgNVBAYTB3Vua25vd24xEDAOBgNVBAsMB3Vua25vd24xEDAOBgNVBAcMB3Vua25vd24xEDAOBgNVBAoMB3Vua25vd24xKTAnBgNVBAMMIG1ldGFjb20tcm9vdCAtIHJvb3QgQ0EgYXV0aG9yaXR5MB4XDTIzMDIwNzE1MTE0N1oXDTMzMDIwNzE1MTE0N1owbjEQMA4GA1UECAwHdW5rbm93bjEQMA4GA1UEBhMHdW5rbm93bjEQMA4GA1UECwwHdW5rbm93bjEQMA4GA1UEBwwHdW5rbm93bjEQMA4GA1UECgwHdW5rbm93bjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtDE/XBqFTFLwhaQbEpV49XuOWgappZ7Fv+MQhuWFDHpMWsHDbXFi7n42Bpm7X9L1fa1G06tHeJJiBOgQ7o4/W2Tm/mF0uboQAj3qEHsCT4dCR0Wq+ViOuyDw2GOs2dEejMzNovT2lgi/Zz9Q1ePS8efPjLE3tFrzLheOU92b/OS2fKF00fk+CzPGbKHaAH0CLgh0ME11jbs6TakgwaiuQw3gMtfmougmkyOzMP5IRUNbCLv0FougbPl8gxyQSS4qCCVgZQOKaqzB+riUAIHLYS2fA5QSljsBuzxMMcE+KbyKBOjzaviCpYJVMixUaqdHr3grHvqYIuA8G2r6QG4TOQIDAQABo4H7MIH4MIGyBgNVHSMEgaowgaeAFLIp2ahooTgDetrU7tJPxfKnHHBboYGLpIGIMIGFMRAwDgYDVQQIDAd1bmtub3duMRAwDgYDVQQGEwd1bmtub3duMRAwDgYDVQQLDAd1bmtub3duMRAwDgYDVQQHDAd1bmtub3duMRAwDgYDVQQKDAd1bmtub3duMSkwJwYDVQQDDCBtZXRhY29tLXJvb3QgLSByb290IENBIGF1dGhvcml0eYIBADAdBgNVHQ4EFgQUa0FGq+ITa1s7866eZAa6y1xRVNowDAYDVR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAHxaF7y/2XJ+Ub/uf9eweWnv0EjeUjca77ep88VwXmrZZCc2NorjgLnLBVE01gIA/xQq3ukcAhv3qRsyS8DLhZ3jQJZz0qH54E8/217qSr5lnMEas/INvML3Zoa19qm1AsUzYzUYe0RN3/r8UWxd9sCBYy/69G3ACHU2aaNYEzRIzKgAQfmaX50j+2u7eLlaO6dh4eaEcOEz4IHXpq4AWeKcVwhHYpkcdTpj2TwQ/+U7pNOz1bL943Joc1mJpjp9mu6sHaE0HmukHFTexunQjkAV23OJkCiEfaU+QJgQbDC5orSH2BmcyS7DWUy/coqnc/QiWZaL3UreiReH3IyfF57l1DZFPGZDPGOfH0Pu5OAZNX3R8w== SECURITY:CERTIFICATE:VALIDATE = true SECURITY:TRUST_MGR:DISABLE = false SECURITY:TRANSPORT:REFRESH = true ACCESS:PASSWORD:TRUSTSTORE = i1B7Ms5pklLStr8q5VLN0&mF+1rbM7>A@YfI } descriptor: BitmapRGB[ICOEntry: width: 32, height: 32, colors: 0, planes: 1, bit count: 32, size: 4264, offset: 1182, BitmapInfoHeader: size: 40 bytes, width: 32, height: 64, planes: 1, bit count: 32, compression: 0, image size: 4096, X pixels per m: 2835, Y pixels per m: 2835, colors used: 1 (unknown), colors important: 1 (all)] descriptor: BitmapRGB[ICOEntry: width: 32, height: 32, colors: 0, planes: 1, bit count: 32, size: 4264, offset: 1182, BitmapInfoHeader: size: 40 bytes, width: 32, height: 64, planes: 1, bit count: 32, compression: 0, image size: 4096, X pixels per m: 2835, Y pixels per m: 2835, colors used: 1 (unknown), colors important: 1 (all)] descriptor: BitmapRGB[ICOEntry: width: 32, height: 32, colors: 0, planes: 1, bit count: 32, size: 4264, offset: 1182, BitmapInfoHeader: size: 40 bytes, width: 32, height: 64, planes: 1, bit count: 32, compression: 0, image size: 4096, X pixels per m: 2835, Y pixels per m: 2835, colors used: 1 (unknown), colors important: 1 (all)] feb 09, 2023 4:12:11 PM com.goldencode.p2j.ui.client.event.EventManager postEvent WARNING: Wasted event: PaintEvent{TAB (9), source=Frame rect-overlay##nl.somecompany.someproduct.ui.src.someproductopenedge.src.sys.UserLogRectOverlay$UserLogRectOverlayDef 4 Dimension[100.0,6.91] Point[0.0,6.67] visible true can false; , delayed, updateRect=Rectangle[top=8.15, left=0.2, bottom=15.01, right=100.0]} feb 09, 2023 4:12:21 PM com.goldencode.p2j.ui.client.event.EventManager postEvent WARNING: Wasted event: ActionEvent{CTRL-E (5), source=ButtonGuiImpl{20, "Inloggen"}, command=GO}
#4 Updated by Tijs Wickardt 12 months ago
Greg, as can be seen in #7354-3, the title of this task is a bit too narrow. Also sun.java.command
needs some secret masking.
That's why I proposed a more generic solution with a custom secret regex mask in the generic FWD logger.
But of course we could design other solutions, it was just an idea.