Bug #38386
open
Password from HTTP(S) proxy Setting is logged in plaintext to production.log
Description
Description of problem:
When specifying credentials in HTTP Proxy in Foreman Settings, the password can be logged in plaintext into `production.log`. While the logfile is accessible by `root` and `foreman` users only, it is still a door to a security problem.
It is worth obfuscating the password directly in the logfile.
Steps to Reproduce:
1. WebUI -> Settings -> HTTP Proxy -> put there e.g. `https://USER:SECRETPASSWORD@squid-server:3128` (where `squid-server` is an address of your proxy)
2. Update the value anyhow (to see other log entry with password)
3. open WebUI -> Content -> Subscriptions (or any other page that triggers an outgoing request)
Actual behavior:
1. and 2. and 3. subsequently trigger logs:
2024-12-12T15:27:03 [I|aud|68392978] Setting (7) create event on value --- https://USER:SECRETPASSWORD@localhost:443
2024-12-12T16:15:59 [I|aud|e44a4430] Setting (7) update event on value --- https://USER:SECRETPASSWORD@localhost:443, --- https://USER:SECRETPASSWORD@pmoravec-rhel9:3128
2024-12-12T16:16:21 [I|app|d6afc88a] (RestClient) Proxying request to subscription.rhsm.redhat.com via https://USER:SECRETPASSWORD@pmoravec-rhel9:3128
Updated by The Foreman Bot 10 days ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/10525 added