Giter Club home page Giter Club logo

Comments (2)

hagen1778 avatar hagen1778 commented on May 24, 2024

Hello @wasim-nihal!

I'd like to introduce a new boolean flag maskUsernameFlags which when set to true will mask the content of such flags and just print secret.

If those flags are URLs, we may not have that much control over what is printed. If the URL is passed to Go standard lib function (like http.Do()) then returned error may contain the full unmasked URL. The caller of this function won't be able to detect this without adding some type of parser for checking error messages for sensitive info. This might complicate the code, introduce a lot of changes for little gains.

Have you considered adding such sanitizations to logs collector/driver instead?

from victoriametrics.

wasim-nihal avatar wasim-nihal commented on May 24, 2024

Hi @hagen1778, I do not fully understand on how username flags can be passed as URLs. What I intended here is not to support the configuration of username flags as URLs (unlike password where we can give http://).

Instead, the proposed change is just to mask the flags from the logs similar to those below. Here if we see, httpAuth.password gets logged as secret whereas httpAuth.username gets logged as plain text.

$ ./victoria-metrics --httpAuth.username=hello --httpAuth.password=world
2024-04-24T06:00:07.506Z        info    /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:12 build version: victoria-metrics-20240402-115328-heads-master-0-gdaa1326b9-dirty-e12c1b95
2024-04-24T06:00:07.515Z        info    /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:13 command-line flags
2024-04-24T06:00:07.515Z        info    /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:20   -httpAuth.password="secret"
2024-04-24T06:00:07.517Z        info    /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:20   -httpAuth.username="hello"


$ ./vmagent -remoteWrite.url=https://127.0.0.1:8428/api/v1/write  -remoteWrite.basicAuth.username=hello  -remoteWrite.basicAuth.password=world -promscrape.config=./prom.yaml
2024-04-24T06:40:40.405Z        info    /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:12 build version: vmagent-20240424-062430-heads-vmbackup-secure-url-0-g3445ee396-dirty-d8b89610
2024-04-24T06:40:40.406Z        info    /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:13 command-line flags
2024-04-24T06:40:40.406Z        info    /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:20   -promscrape.config="./prom.yaml"
2024-04-24T06:40:40.406Z        info    /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:20   -remoteWrite.basicAuth.password="secret"
2024-04-24T06:40:40.406Z        info    /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:20   -remoteWrite.basicAuth.username="hello"

So, to mask such username flags at startup, the proposed solution is as follows to the file VictoriaMetrics/lib/flagutil/secret.go

var maskUsernameFlags= flag.Bool("maskUsernameFlags", false, "Whether to mask flags related to username from logs")

// IsSecretFlag returns true of s contains flag name with secret value, which shouldn't be exposed.
func IsSecretFlag(s string) bool {
	if strings.Contains(s, "pass") || strings.Contains(s, "key") || strings.Contains(s, "secret") || strings.Contains(s, "token") {
		return true
	}
        if *maskUsernameFlags && strings.Contains(s, "username"){
                return true
        }
	return secretFlags[s]
}

Please let me know if my understanding is not right.

from victoriametrics.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.