elastic/logstash

S3 input output plugin might leak passwords

Open

#12,540 opened on Dec 30, 2020

View on GitHub
 (3 comments) (0 reactions) (0 assignees)Ruby (14,197 stars) (3,496 forks)batch import
good first issue

Description

When you use minio or another S3 provider that uses path_style for buckets and do not configure this with the force_path_style then logstash while fail with a stacktrace which contains the S3 secret key. This was tested with secret key and key identifier present in the config. Not tested with a config file yet. probably config file is better.

Contributor guide

Tech stack
None
Domain
backendsecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Logstash basicsS3 configuration
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Investigate the S3 input and output plugins' error handling to identify where the secret key is included in stack traces. Look for any existing code that redacts sensitive information. Consider modifying the error logging to exclude the secret key when displaying configuration errors. Review comments in the issue for any additional context.
S3 input output plugin might leak passwords · elastic/logstash#12540 | Good First Issue