Ana Sayfa Keşfet Yardım
Giriş Yap
kennyh
/
emqx4.3
1
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

fix: password log leak in RabbitMQ bridge

This fixes a vulnerability in the RabbitMQ bridge, which could
potentially expose passwords to log files. This was accomplished by
initializing the encryption library specifically designed for RabbitMQ's
passwords. Consequently, passwords are no longer stored in unencrypted
format. As a result, they will no longer be visible as plain text in log
messages, thereby enhancing the system's security.

Fixes:
https://emqx.atlassian.net/browse/EMQX-9976
Kjell Winblad 2 yıl önce
ebeveyn
75fcac9711
işleme
a4fcc0dcb3
3 değiştirilmiş dosya ile 14 ekleme ve 2 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 1 1
      apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq.app.src
  2. 12 0
      apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq_connector.erl
  3. 1 1
      apps/emqx_rule_engine/src/emqx_rule_engine.app.src

+ 1 - 1
apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq.app.src
Dosyayı Görüntüle 

@@ -1,6 +1,6 @@
 
 {application, emqx_bridge_rabbitmq, [
 
     {description, "EMQX Enterprise RabbitMQ Bridge"},
 
-    {vsn, "0.1.1"},
 
+    {vsn, "0.1.2"},
 
     {registered, []},
 
     {applications, [kernel, stdlib, ecql, rabbit_common, amqp_client]},
 
     {env, []},

+ 12 - 0
apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq_connector.erl
Dosyayı Görüntüle 

@@ -13,6 +13,7 @@
 
 
 %% Needed to create RabbitMQ connection
 
 -include_lib("amqp_client/include/amqp_client.hrl").
 
+-include_lib("credentials_obfuscation/include/credentials_obfuscation.hrl").
 
 
 -behaviour(emqx_resource).
 
 -behaviour(hocon_schema).
 
@@ -230,6 +231,17 @@ on_start(
 
         processed_payload_template => ProcessedTemplate,
 
         config => Config
 
     },
 
+    %% Initialize RabbitMQ's secret library so that the password is encrypted
 
+    %% in the log files.
 
+    case credentials_obfuscation:secret() of
 
+        ?PENDING_SECRET ->
 
+            Bytes = crypto:strong_rand_bytes(128),
 
+            %% The password can appear in log files if we don't do this
 
+            credentials_obfuscation:set_secret(Bytes);
 
+        _ ->
 
+            %% Already initialized
 
+            ok
 
+    end,
 
     case emqx_resource_pool:start(InstanceID, ?MODULE, Options) of
 
         ok ->
 
             {ok, State};

+ 1 - 1
apps/emqx_rule_engine/src/emqx_rule_engine.app.src
Dosyayı Görüntüle 

@@ -2,7 +2,7 @@
 
 {application, emqx_rule_engine, [
 
     {description, "EMQX Rule Engine"},
 
     % strict semver, bump manually!
 
-    {vsn, "5.0.18"},
 
+    {vsn, "5.0.19"},
 
     {modules, []},
 
     {registered, [emqx_rule_engine_sup, emqx_rule_engine]},
 
     {applications, [kernel, stdlib, rulesql, getopt, emqx_ctl]},