Lightrun
question-mark

Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security issue: JDBC URI contains plaintext password & username

See original GitHub issue

Issue Description

Proposal

Spline Agent should contain URI filtering for, at least, passwords. Captured Lineage data are send insecurely thru HTTP protocol to Producer, which can be located out of the secured network, so anyone can listen and capture the password.

I believe this issue should be solved on either Agent and UI sides. Best solution is not sent it at all or securely mask it (f.e. with asterisks).

Example

Current state: DataSource URI: jdbc:sqlserver://sample.database.windows.net:1433;database=sample;user=sample;password=password;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30:

Future state: DataSource URI: jdbc:sqlserver://sample.database.windows.net:1433;database=sample;user=;password=;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30:

Version

For version 0.5.1 Agent, UI.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:22 (14 by maintainers)

github_iconTop GitHub Comments

2reactions
wajdacommented, May 11, 2021

Please check it now, should be working. It was my oversight, the filtering was applied for the n-th level of nested properties, but not the 1st one. I’ve added more unit tests as well.

2reactions
xfontes42commented, May 10, 2021

Hello @wajda , looking at the most recent changes and the PR for this issue, cases like this are completely solved:

"reads": [
{
"inputSources": [
"jdbc:postgresql://someHost:somePort/someDB?user=someUser&password=*****"
],
"params": {
"url": "jdbc:postgresql://someHost:somePort/someDB?user=someUser&password=******",
"dbtable": "someTable",
},

However, there is still the case:

"params": {
"url": "jdbc:postgresql://someHost:somePort/someDB",
"dbtable": "someTable",
"user": "someUser",
"password": "somePassword"
}

Would it be possible to change the regex in the properties such that this scenario is also handled? Thanks in advance for your help!

Read more comments on GitHub >

github_iconTop Results From Across the Web

findbugs and database password security issue - Stack Overflow
The vast majority of Web Applications use a hard-coded username/password for their SQL connection. Checking production credentials ...
Read more >
Question regarding the sending of passwords via JDBC
I'd like to know if the username and password is sent in clear text during the getConnection() JDBC call to connect a client...
Read more >
User ID and password security under the IBM Data Server ...
With the IBM Data Server Driver for JDBC and SQLJ, one of the available security methods is user ID and password security.
Read more >
Securing connection strings - JDBC Driver for SQL Server
Storing a user ID and password in plain text, such as in your source code, presents a serious security issue. Even if you...
Read more >
Encrypt tomcat database password - How to avoid Clear Text ...
Having, The Username and Connection details as a clear text is OK to some extent but Having the Password Unencrypted or as clear...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Throwing runtime exception for delta commands

Next page

AVRO: a class name is captured instead of a format name