camel-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Taariq Levack (JIRA)" <>
Subject [jira] [Updated] (CAMEL-3980) Exception message contains plaintext password
Date Tue, 17 May 2011 20:45:47 GMT


Taariq Levack updated CAMEL-3980:

    Attachment: CAMEL-3980.patch

The patch sanitizes the URL for RemoteFileProducer and FtpConsumer, and also logs the endpoint's
toString instead of the endpoint URI so that is sanitized too.

No additional tests were added, DefaultEndpointTest already tests the sanitizing and FromFtpSimulateNetworkIssueRecoverTest.testFtpRecover
logs will show that the problem is solved for ftp.

If there are others I'm unaware of please let me know.

> Exception message contains plaintext password
> ---------------------------------------------
>                 Key: CAMEL-3980
>                 URL:
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>              Labels: logging, security
>         Attachments: CAMEL-3980.patch
>   Original Estimate: 1h
>  Remaining Estimate: 1h
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password
in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP
and mail) the password leaves the system and we are loosing control over its spread across
enterprise. I decided to mark this as major issue since it is security related. I have found
other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however
- don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection
abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[]
could not poll endpoint:
caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:
 Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(
> 	at
> 	at java.util.concurrent.Executors$ Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$ Source)
> 	at Source) Caused by: Software
caused connection abort: recv failed
> 	at Method)
> 	at Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at Source)
> 	at Source)
> 	at Source)
> 	at Source)
> 	at Source)
> 	at
> 	at
> 	at
> 	at
> 	at
> 	at
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(
> 	... 12 more
> Ales

This message is automatically generated by JIRA.
For more information on JIRA, see:

View raw message