yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2012993] Re: Unredacted X-Auth-Token logged at level DEBUG in nova-api when HTTP status code != 2xx

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <2012993@xxxxxxxxxxxxxxxxxx>
Date: Tue, 02 May 2023 16:28:33 -0000
Reply-to: Bug 2012993 <2012993@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

I've set the VMT's advisory tab to Won't Fix and switched the bug from
Public Security to normal Public state, consistent with a hardening
opportunity. We normally also add the "security" tag but it's already
present.

** Changed in: ossa
       Status: New => Won't Fix

** Information type changed from Public Security to Public

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2012993

Title:
  Unredacted X-Auth-Token logged at level DEBUG in nova-api when HTTP
  status code != 2xx

Status in OpenStack Compute (nova):
  Triaged
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Noticed this while working on something else, if the API is going to
  return a non 2xx HTTP success status code, a lot of request details
  are logged including the user's unsanitized auth token. In the past,
  operators considered this to be a security issue despite logging only
  at level DEBUG. For this reason I am opening a bug for review.

  This particular logging code was added in the Zed release:

  https://review.opendev.org/c/openstack/nova/+/806683

  These are logged a lot when using OSC + server names because OSC
  always tries to lookup a name as a UUID (which will fail with 404)
  before it falls back on trying it as an ID. So commands such as
  'openstack server show MyServer' will produce debug logs like the
  following.

  Example log for GET /servers HTTP 404:

  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: INFO nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] HTTP exception thrown: Instance test could not be found.
  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: DEBUG nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] Request method failure captured:
  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]:   request: GET /compute/v2.1/servers/test HTTP/1.1
  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept: application/json
  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept-Encoding: gzip, deflate
  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Connection: keep-alive
  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Content-Length: 0
  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Host: 192.168.44.11
  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Openstack-System-Scope: None
  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: User-Agent: python-novaclient
  Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: X-Auth-Token: gAAAAABkIj7cGDJYKbnQalHot3qfNuAY1AMwMdKFP0kVQB6_8HRCSizDQpxMfspjx2S7t8rMWPSwYwg0-Yox2QM9E3KPWVq72YPl-cr8XwlDIn-ev9WjpmkmCtlOqOs0M0rOSvQggxdNB0xLx
  2-gYiWUyMAYW6A1vXcup7Rvs8-YFetPKr2vGnY

  [...]

  Full log trace:

  https://paste.openstack.org/show/bx9CmbgOsDNrIn16PfUW

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2012993/+subscriptions

References

[Bug 2012993] [NEW] Unredacted X-Auth-Token logged at level DEBUG in nova-api when HTTP status code != 2xx
From: melanie witt, 2023-03-28