Skip to content
Snippets Groups Projects
Commit a806549d authored by Maria's avatar Maria Committed by Kirill Yukhin
Browse files

box: replication shouldn't leak user password

It was possible to leak user password through setting 'replication'
configuration option in first box.cfg invocation. This happened due
to unconditional logging in load_cfg function. The patch introduces
conditional logging.

Closes #4493
parent 85adac03
No related branches found
No related tags found
No related merge requests found
......@@ -564,6 +564,9 @@ local function load_cfg(cfg)
fun()
end
if not compare_cfg(val, default_cfg[key]) then
if log_cfg_option[key] ~= nil then
val = log_cfg_option[key](val)
end
log.info("set '%s' configuration option to %s", key, json.encode(val))
end
end
......
......@@ -591,3 +591,33 @@ test_run:cmd("cleanup server cfg_tester6")
| ---
| - true
| ...
--
-- gh-4493: Replication user password may leak to logs
--
test_run:cmd('create server cfg_tester7 with script = "box/lua/cfg_test6.lua"')
| ---
| - true
| ...
test_run:cmd("start server cfg_tester7")
| ---
| - true
| ...
-- test there is replication log in log
test_run:grep_log('cfg_tester7', 'set \'replication\' configuration option to', 1000)
| ---
| - set 'replication' configuration option to
| ...
-- test there is no password in log
test_run:grep_log('cfg_tester7', 'test%-cluster%-cookie', 1000)
| ---
| - null
| ...
test_run:cmd("stop server cfg_tester7")
| ---
| - true
| ...
test_run:cmd("cleanup server cfg_tester7")
| ---
| - true
| ...
......@@ -142,3 +142,15 @@ test_run:cmd("start server cfg_tester6")
test_run:grep_log('cfg_tester6', 'set \'vinyl_memory\' configuration option to 1073741824', 1000)
test_run:cmd("stop server cfg_tester6")
test_run:cmd("cleanup server cfg_tester6")
--
-- gh-4493: Replication user password may leak to logs
--
test_run:cmd('create server cfg_tester7 with script = "box/lua/cfg_test6.lua"')
test_run:cmd("start server cfg_tester7")
-- test there is replication log in log
test_run:grep_log('cfg_tester7', 'set \'replication\' configuration option to', 1000)
-- test there is no password in log
test_run:grep_log('cfg_tester7', 'test%-cluster%-cookie', 1000)
test_run:cmd("stop server cfg_tester7")
test_run:cmd("cleanup server cfg_tester7")
#!/usr/bin/env tarantool
os = require('os')
box.cfg{
listen = os.getenv("LISTEN"),
replication = "admin:test-cluster-cookie@" .. os.getenv("LISTEN"),
replication_connect_timeout = 0.1,
}
require('console').listen(os.getenv('ADMIN'))
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment