Petals ESB CLI

'topology-list' returns sensible information when no passphrase is given

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 2.1.4, 2.2.0
  • Fix Version/s: 2.3.0
  • Component/s: Command 'topology-list'
  • Security Level: Public
  • Description:
    Hide

    Using the command 'topology-list' without passphrase, sensible information are displayed:

    petals-cli>connect
Would you like to connect to petals:*****@localhost:7700? (y/n) y
petals-cli@localhost:7700>topology-list 
Domain: PEtALS
Subdomain: subdomain1
* Container: sample-0
** Type: master
** Host: localhost
** HTTP Webservice port: 7600
** JMX port: 7700
** TCP port: 7800
** Registry port: 7900
** JMX username: petals
** JMX password: petals

petals-cli@localhost:7700>

    Values of fields 'JMX username' and 'JMX password' should be masked, as using an invalid passphrase:

    petals-cli>connect
Would you like to connect to petals:*****@localhost:7700? (y/n) y
petals-cli@localhost:7700>topology-list -p invalid
Domain: PEtALS
Subdomain: subdomain1
* Container: sample-0
** Type: master
** Host: localhost
** HTTP Webservice port: 7600
** JMX port: 7700
** TCP port: 7800
** Registry port: 7900
** JMX username: *********
** JMX password: *********

petals-cli@localhost:7700>
    Show
    Using the command 'topology-list' without passphrase, sensible information are displayed: 
    petals-cli>connect
Would you like to connect to petals:*****@localhost:7700? (y/n) y
petals-cli@localhost:7700>topology-list 
Domain: PEtALS
Subdomain: subdomain1
* Container: sample-0
** Type: master
** Host: localhost
** HTTP Webservice port: 7600
** JMX port: 7700
** TCP port: 7800
** Registry port: 7900
** JMX username: petals
** JMX password: petals

petals-cli@localhost:7700>
    Values of fields 'JMX username' and 'JMX password' should be masked, as using an invalid passphrase: 
    petals-cli>connect
Would you like to connect to petals:*****@localhost:7700? (y/n) y
petals-cli@localhost:7700>topology-list -p invalid
Domain: PEtALS
Subdomain: subdomain1
* Container: sample-0
** Type: master
** Host: localhost
** HTTP Webservice port: 7600
** JMX port: 7700
** TCP port: 7800
** Registry port: 7900
** JMX username: *********
** JMX password: *********

petals-cli@localhost:7700>
  • Environment:
    -

Activity

Descending order - Click to sort in ascending order
Hide
Permalink
Christophe DENEUX added a comment - Tue, 9 Feb 2016 - 16:43:54 +0100

The definition of the default passphrase has been commented in Debian packages

Show
Christophe DENEUX added a comment - Tue, 9 Feb 2016 - 16:43:54 +0100 The definition of the default passphrase has been commented in Debian packages
Hide
Permalink
Christophe DENEUX added a comment - Tue, 9 Feb 2016 - 15:32:38 +0100 - edited

This problem occurs with the default configuration:

  • in the Petals CLI preference file, the passphrase is set to its default value,
  • the Petals container used has its own default configuration.

As both passphrases match, the sensible information is returned.

In a security point of view, no passphrase should be set at alias level. In a user-friendly point of view, it should be better to be able to set the passphrase at alias level.
As the security is more important in production environment than in development or test environments, the default configuration of Petals CLI must adapted:

  • no default passphrase set for production environment (ie. in Debian packages),
  • a default passphrase set for development and test environments (ie. in ZIP packages).
Show
Christophe DENEUX added a comment - Tue, 9 Feb 2016 - 15:32:38 +0100 - edited This problem occurs with the default configuration:
  • in the Petals CLI preference file, the passphrase is set to its default value,
  • the Petals container used has its own default configuration.
As both passphrases match, the sensible information is returned. In a security point of view, no passphrase should be set at alias level. In a user-friendly point of view, it should be better to be able to set the passphrase at alias level. As the security is more important in production environment than in development or test environments, the default configuration of Petals CLI must adapted:
  • no default passphrase set for production environment (ie. in Debian packages),
  • a default passphrase set for development and test environments (ie. in ZIP packages).

People

Dates

  • Created:
    Thu, 4 Feb 2016 - 18:09:08 +0100
    Updated:
    Tue, 9 Feb 2016 - 16:43:54 +0100
    Resolved:
    Tue, 9 Feb 2016 - 16:43:53 +0100
Atlassian JIRA (v4.1.2#531) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Petals ESB. Try JIRA - bug tracking software for your team.