[FOLIO-1520] sensitive information is logged/echoed Created: 20/Sep/18 Updated: 18/Jan/19 |
|
| Status: | Open |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P3 |
| Reporter: | Zak Burke | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | |
| Development Team: | Core: Platform |
| Description |
DescriptionWhen a request contains sensitive information, e.g. because it is a login or change password, if the request fails that information must not be logged and or returned as part of the error response. DetailsCurrently, POST requests to http://folio-snapshot-367.aws.indexdata.com:9130/bl-users/login?expandPermissions=true&fullPermissions=true are failing with a 500 response with the body
{
"endpoint" : "/authn/login",
"statusCode" : 500,
"errorMessage" : "{\"username\":\"diku_admin\",\"password\":\"admin\"}"
}
The error message should not contain sensitive information such as the password. |
| Comments |
| Comment by Zak Burke [ 20/Sep/18 ] |
|
I filed this under Folio rather than mod-users-bl because it identifies the general issue – sensitive information should not be logged – rather than a specific one. But, if you did want to file a sub issue to deal with this specific case, _/proxy/tenants/diku/modules?full=true reports this instance is running mod-users-bl-4.0.2-SNAPSHOT.25 and mod-authtoken-1.5.2-SNAPSHOT.26. |