首頁 探索 說明
登入
kennyh
/
emqx4.3
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
瀏覽代碼

fix: password log leak in RabbitMQ bridge

This fixes a vulnerability in the RabbitMQ bridge, which could
potentially expose passwords to log files. This was accomplished by
initializing the encryption library specifically designed for RabbitMQ's
passwords. Consequently, passwords are no longer stored in unencrypted
format. As a result, they will no longer be visible as plain text in log
messages, thereby enhancing the system's security.

Fixes:
https://emqx.atlassian.net/browse/EMQX-9976
Kjell Winblad 2 年之前
父節點
75fcac9711
當前提交
a4fcc0dcb3
共有 3 個文件被更改,包括 14 次插入2 次删除
統一視圖 顯示文件統計
  1. 1 1
      apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq.app.src
  2. 12 0
      apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq_connector.erl
  3. 1 1
      apps/emqx_rule_engine/src/emqx_rule_engine.app.src

+ 1 - 1
apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq.app.src
查看文件 

@@ -1,6 +1,6 @@
 
 {application, emqx_bridge_rabbitmq, [
 
 {application, emqx_bridge_rabbitmq, [
 
     {description, "EMQX Enterprise RabbitMQ Bridge"},
 
     {description, "EMQX Enterprise RabbitMQ Bridge"},
 
-    {vsn, "0.1.1"},
 
+    {vsn, "0.1.2"},
 
     {registered, []},
 
     {registered, []},
 
     {applications, [kernel, stdlib, ecql, rabbit_common, amqp_client]},
 
     {applications, [kernel, stdlib, ecql, rabbit_common, amqp_client]},
 
     {env, []},
 
     {env, []},

+ 12 - 0
apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq_connector.erl
查看文件 

@@ -13,6 +13,7 @@
 
 
 
 %% Needed to create RabbitMQ connection
 
 %% Needed to create RabbitMQ connection
 
 -include_lib("amqp_client/include/amqp_client.hrl").
 
 -include_lib("amqp_client/include/amqp_client.hrl").
 
+-include_lib("credentials_obfuscation/include/credentials_obfuscation.hrl").
 
 
 
 -behaviour(emqx_resource).
 
 -behaviour(emqx_resource).
 
 -behaviour(hocon_schema).
 
 -behaviour(hocon_schema).
 
@@ -230,6 +231,17 @@ on_start(
 
         processed_payload_template => ProcessedTemplate,
 
         processed_payload_template => ProcessedTemplate,
 
         config => Config
 
         config => Config
 
     },
 
     },
 
+    %% Initialize RabbitMQ's secret library so that the password is encrypted
 
+    %% in the log files.
 
+    case credentials_obfuscation:secret() of
 
+        ?PENDING_SECRET ->
 
+            Bytes = crypto:strong_rand_bytes(128),
 
+            %% The password can appear in log files if we don't do this
 
+            credentials_obfuscation:set_secret(Bytes);
 
+        _ ->
 
+            %% Already initialized
 
+            ok
 
+    end,
 
     case emqx_resource_pool:start(InstanceID, ?MODULE, Options) of
 
     case emqx_resource_pool:start(InstanceID, ?MODULE, Options) of
 
         ok ->
 
         ok ->
 
             {ok, State};
 
             {ok, State};

+ 1 - 1
apps/emqx_rule_engine/src/emqx_rule_engine.app.src
查看文件 

@@ -2,7 +2,7 @@
 
 {application, emqx_rule_engine, [
 
 {application, emqx_rule_engine, [
 
     {description, "EMQX Rule Engine"},
 
     {description, "EMQX Rule Engine"},
 
     % strict semver, bump manually!
 
     % strict semver, bump manually!
 
-    {vsn, "5.0.18"},
 
+    {vsn, "5.0.19"},
 
     {modules, []},
 
     {modules, []},
 
     {registered, [emqx_rule_engine_sup, emqx_rule_engine]},
 
     {registered, [emqx_rule_engine_sup, emqx_rule_engine]},
 
     {applications, [kernel, stdlib, rulesql, getopt, emqx_ctl]},
 
     {applications, [kernel, stdlib, rulesql, getopt, emqx_ctl]},