Petals ESB CLI

'topology-list' returns sensible information when no passphrase is given

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 2.1.4, 2.2.0
  • Fix Version/s: 2.3.0
  • Component/s: Command 'topology-list'
  • Security Level: Public
  • Description:
    Hide

    Using the command 'topology-list' without passphrase, sensible information are displayed:

    petals-cli>connect
Would you like to connect to petals:*****@localhost:7700? (y/n) y
petals-cli@localhost:7700>topology-list 
Domain: PEtALS
Subdomain: subdomain1
* Container: sample-0
** Type: master
** Host: localhost
** HTTP Webservice port: 7600
** JMX port: 7700
** TCP port: 7800
** Registry port: 7900
** JMX username: petals
** JMX password: petals

petals-cli@localhost:7700>

    Values of fields 'JMX username' and 'JMX password' should be masked, as using an invalid passphrase:

    petals-cli>connect
Would you like to connect to petals:*****@localhost:7700? (y/n) y
petals-cli@localhost:7700>topology-list -p invalid
Domain: PEtALS
Subdomain: subdomain1
* Container: sample-0
** Type: master
** Host: localhost
** HTTP Webservice port: 7600
** JMX port: 7700
** TCP port: 7800
** Registry port: 7900
** JMX username: *********
** JMX password: *********

petals-cli@localhost:7700>
    Show
    Using the command 'topology-list' without passphrase, sensible information are displayed: 
    petals-cli>connect
Would you like to connect to petals:*****@localhost:7700? (y/n) y
petals-cli@localhost:7700>topology-list 
Domain: PEtALS
Subdomain: subdomain1
* Container: sample-0
** Type: master
** Host: localhost
** HTTP Webservice port: 7600
** JMX port: 7700
** TCP port: 7800
** Registry port: 7900
** JMX username: petals
** JMX password: petals

petals-cli@localhost:7700>
    Values of fields 'JMX username' and 'JMX password' should be masked, as using an invalid passphrase: 
    petals-cli>connect
Would you like to connect to petals:*****@localhost:7700? (y/n) y
petals-cli@localhost:7700>topology-list -p invalid
Domain: PEtALS
Subdomain: subdomain1
* Container: sample-0
** Type: master
** Host: localhost
** HTTP Webservice port: 7600
** JMX port: 7700
** TCP port: 7800
** Registry port: 7900
** JMX username: *********
** JMX password: *********

petals-cli@localhost:7700>
  • Environment:
    -

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Christophe DENEUX added a comment - Tue, 9 Feb 2016 - 15:32:38 +0100 - edited

This problem occurs with the default configuration:

  • in the Petals CLI preference file, the passphrase is set to its default value,
  • the Petals container used has its own default configuration.

As both passphrases match, the sensible information is returned.

In a security point of view, no passphrase should be set at alias level. In a user-friendly point of view, it should be better to be able to set the passphrase at alias level.
As the security is more important in production environment than in development or test environments, the default configuration of Petals CLI must adapted:

  • no default passphrase set for production environment (ie. in Debian packages),
  • a default passphrase set for development and test environments (ie. in ZIP packages).
Show
Christophe DENEUX added a comment - Tue, 9 Feb 2016 - 15:32:38 +0100 - edited This problem occurs with the default configuration:
  • in the Petals CLI preference file, the passphrase is set to its default value,
  • the Petals container used has its own default configuration.
As both passphrases match, the sensible information is returned. In a security point of view, no passphrase should be set at alias level. In a user-friendly point of view, it should be better to be able to set the passphrase at alias level. As the security is more important in production environment than in development or test environments, the default configuration of Petals CLI must adapted:
  • no default passphrase set for production environment (ie. in Debian packages),
  • a default passphrase set for development and test environments (ie. in ZIP packages).
Christophe DENEUX made changes - Tue, 9 Feb 2016 - 15:32:38 +0100
Field Original Value New Value
Status New [ 10000 ] Open [ 10002 ]
Priority Major [ 3 ]
Christophe DENEUX made changes - Tue, 9 Feb 2016 - 15:34:04 +0100
Status Open [ 10002 ] In Progress [ 10003 ]
Hide
Permalink
Christophe DENEUX added a comment - Tue, 9 Feb 2016 - 16:43:54 +0100

The definition of the default passphrase has been commented in Debian packages

Show
Christophe DENEUX added a comment - Tue, 9 Feb 2016 - 16:43:54 +0100 The definition of the default passphrase has been commented in Debian packages
Christophe DENEUX made changes - Tue, 9 Feb 2016 - 16:43:54 +0100
Status In Progress [ 10003 ] Resolved [ 10004 ]
Fix Version/s 2.3.0 [ 10605 ]
Resolution Fixed [ 1 ]
Transition Status Change Time Execution Times Last Executer Last Execution Date
New New Open Open
4d 21h 23m
1
Christophe DENEUX
Tue, 9 Feb 2016 - 15:32:38 +0100
Open Open In Progress In Progress
1m 26s
1
Christophe DENEUX
Tue, 9 Feb 2016 - 15:34:04 +0100
In Progress In Progress Resolved Resolved
1h 9m
1
Christophe DENEUX
Tue, 9 Feb 2016 - 16:43:54 +0100

People

Dates

  • Created:
    Thu, 4 Feb 2016 - 18:09:08 +0100
    Updated:
    Tue, 9 Feb 2016 - 16:43:54 +0100
    Resolved:
    Tue, 9 Feb 2016 - 16:43:53 +0100
Atlassian JIRA (v4.1.2#531) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Petals ESB. Try JIRA - bug tracking software for your team.