Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-3772

default log4j layout can reveal parts of url in logs as thread id

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Won't Fix
    • Affects Version/s: 1.7.2, 1.8
    • Fix Version/s: 1.9
    • Component/s: Security
    • Labels:
      None
    • Environment:
      Nexus 1.7.2 running on OSX Leopard, JDK 6

      Description

      The default log4j Layout format that Nexus uses is

      %4d{yyyy-MM-dd HH:mm:ss} %-5p [%-15.15t] - %c - %m%n
      

      The [%-15.15t] bits prints 15 characters of the thread id. In Jetty the thread id can include parts of the HTTP url query string parts.

      Here is a sampling:

      2010-09-09 12:34:13 DEBUG [c=1284050053027] - org.mortbay.log - call servlet nexus
      2010-09-09 12:34:13 DEBUG [c=1284050053027] - o.s.n.DefaultNexus - List log files.
      2010-09-09 12:34:13 DEBUG [c=1284050053027] - org.mortbay.log - RESPONSE /nexus/service/local/logs 200
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - org.mortbay.log - REQUEST /nexus/service/local/logs/nexus.log on org.mortbay.jetty.HttpConnection@37de41ce
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - org.mortbay.log - Got Session ID ok90fpss68qx from cookie
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - org.mortbay.log - sessionManager=org.mortbay.jetty.servlet.HashSessionManager@3bcdae24
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - org.mortbay.log - session=org.mortbay.jetty.servlet.HashSessionManager$Session:ok90fpss68qx@246140464
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - org.mortbay.log - servlet=nexus
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - org.mortbay.log - chain=nexusFilter->nexus
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - org.mortbay.log - servlet holder=nexus
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - org.mortbay.log - call filter nexusFilter
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - o.s.s.w.PlexusConfi~ - Matched pathPattern [/service/*/logs/*] for requestURI [/service/local/logs/nexus.log]. Utilizing corresponding filter chain...
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - o.s.n.s.f.a.HttpVer~ - MAPPED 'read' action to permission: nexus:logs:read
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - o.s.s.a.ExceptionCa~ - Realm: XmlAuthenticatingRealm user: admin does NOT have permisison: nexus:logs:read
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - o.s.s.a.ExceptionCa~ - Realm: org.sonatype.security.realms.XmlAuthorizingRealm user: admin has permisison: nexus:logs:read
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - org.mortbay.log - call servlet nexus
      2010-09-09 12:34:24 DEBUG [/logs/nexus.log] - o.s.n.DefaultNexus - Retrieving nexus.log log file.
      2010-09-09 12:34:25 DEBUG [/logs/nexus.log] - org.mortbay.log - RESPONSE /nexus/service/local/logs/nexus.log 200
      2010-09-09 12:34:25 DEBUG [ - /favicon.ico] - org.mortbay.log - REQUEST /favicon.ico on org.mortbay.jetty.HttpConnection@37de41ce
      2010-09-09 12:34:25 DEBUG [ - /favicon.ico] - org.mortbay.log - RESPONSE /favicon.ico 200
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - org.mortbay.log - REQUEST /nexus/service/local/authentication/login on org.mortbay.jetty.HttpConnection@49a8b29c
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - org.mortbay.log - Got Session ID nkti89jgl3my from cookie
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - org.mortbay.log - sessionManager=org.mortbay.jetty.servlet.HashSessionManager@3bcdae24
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - org.mortbay.log - session=null
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - org.mortbay.log - servlet=nexus
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - org.mortbay.log - chain=nexusFilter->nexus
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - org.mortbay.log - servlet holder=nexus
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - org.mortbay.log - call filter nexusFilter
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - o.s.s.w.PlexusConfi~ - Matched pathPattern [/service/*/authentication/login] for requestURI [/service/local/authentication/login]. Utilizing corresponding filter chain...
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - o.s.n.s.f.a.NexusSe~ - Using authorization from request parameter
      2010-09-09 12:35:37 DEBUG [tion=FHACKER%20] - o.s.n.s.f.a.NexusSe~ - Using authorization from request parameter
      2010-09-09 12:35:37 ERROR [tion=FHACKER%20] - o.s.n.s.f.a.NexusSe~ - Unable to login

      Ideally we should be able to configure the thread id to be system generated, thus preserving the ability to track log line per thread, yet prevent creating a security hole of printing request query params in the log files.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              cstamas Tamás Cservenák
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title