Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP - Security Hardening: Guess sensitive attributes by name in addition to API checks #984

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

WIP - Security Hardening: Guess sensitive attributes by name in addition to API checks #984

wants to merge 1 commit into from

Conversation

oleg-nenashev
Copy link
Member

This is a follow-up to the SECURITY-1279, SECURITY-1458, SECURITY-1497 fixes in JCasC 1.25 and 1.27. Although these fixes provide a decent level of security for attributes where Secret is somehow referenced in plugin APIs, there is still a gap for plugins which do not use Secret API at all. If passwords are stored in plain text (like in plugins references in this advisory) and retrieved as Strings in API, there is nothing JCasC can do about it at the moment. It makes JCasC use-cases impacted by vulnerabilities in other plugins.

This change...

  • Introduces an additional security hardening layer where sensitive AND not encrypted attributes are masked by default in system logs and configuration exports. Secret exports are encrypted, and nothing changes there
  • Adds new API which allow Attributes to indicate that a field is encrypted
  • Fixes a regression in ProxyConfigurator which is caused by the changes. It demonstrates the use of new APIs

Your checklist for this pull request

🚨 Please review the guidelines for contributing to this repository.

  • Make sure you are requesting to pull a topic/feature/bugfix branch (right side) and not your master branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or in Jenkins JIRA
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Did you provide a test-case? That demonstrates feature works or fixes the issue.

@oleg-nenashev oleg-nenashev added the feature A PR that adds a feature - used by Release Drafter label Aug 13, 2019
varyvol
varyvol approved these changes Aug 13, 2019
View reviewed changes
Copy link

@varyvol varyvol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming CI passes.

@oleg-nenashev
Copy link
Member Author

retriggering CI

@oleg-nenashev oleg-nenashev reopened this Aug 16, 2019
@oleg-nenashev oleg-nenashev changed the title Security Hardening: Guess sensitive attributes by name in addition to API checks WIP - Security Hardening: Guess sensitive attributes by name in addition to API checks Aug 16, 2019
@oleg-nenashev
Copy link
Member Author

Test failure is real

@jetersen jetersen marked this pull request as draft April 10, 2020 08:07
@timja
Copy link
Member

timja commented Aug 7, 2021

@oleg-nenashev Do you plan to pick this up again? Or shall we close it? I don't remember seeing new issues about this at all

@oleg-nenashev
Copy link
Member Author

oleg-nenashev commented Aug 7, 2021 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MRamonLeon MRamonLeon MRamonLeon approved these changes

@varyvol varyvol varyvol approved these changes

@rsandell rsandell Awaiting requested review from rsandell

@alecharp alecharp Awaiting requested review from alecharp

@jetersen jetersen Awaiting requested review from jetersen

@daniel-beck daniel-beck Awaiting requested review from daniel-beck

@timja timja Awaiting requested review from timja

Assignees
No one assigned
Labels
feature A PR that adds a feature - used by Release Drafter
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@oleg-nenashev @timja @varyvol @MRamonLeon