Re: [PR] HMAC Signatures and API Keys Logged in Plaintext Across Authentication Components [cloudstack]

Fri, 07 Nov 2025 00:12:17 -0800 


YLChen-007 commented on code in PR #12006:
URL: https://github.com/apache/cloudstack/pull/12006#discussion_r2502061363


##########
server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java:
##########
@@ -534,7 +534,7 @@ private boolean verifyRequest(Map<String, Object[]> 
requestParameters) {
             // if api/secret key are passed to the parameters
             if ((signature == null) || (apiKey == null)) {
                 if (LOGGER.isDebugEnabled()) {
-                    LOGGER.debug("expired session, missing signature, or 
missing apiKey -- ignoring request...sig: " + signature + ", apiKey: " + 
apiKey);
+                    LOGGER.debug("expired session, missing signature, or 
missing apiKey -- ignoring request");

Review Comment:
   @DaanHoogland Thank you for the feedback. While I agree that HMAC signatures 
are 
   cryptographically secure, I believe logging them still poses security risks:
   
   **Key concerns:**
   
   1. **Log files ≠ Network transmission**: Logs are persistent, often stored 
in plaintext, and accessible to more parties (developers, ops, log aggregation 
systems) than encrypted HTTPS traffic.
   
   2. **Replay attack window**: If logs are compromised during the signature's 
validity period, attackers could potentially replay the request.
   
   3. **API Key enumeration**: Logging API Keys reveals which accounts exist, 
enabling targeted attacks and violating information disclosure principles.
   
   4. **Compliance & Best Practice**: OWASP and security standards recommend 
against logging authentication credentials, even derived ones like signatures.
   
   5. **Defense in depth**: Even if theoretically safe, removing sensitive data 
from logs reduces attack surface at minimal cost.
   
   **Suggested approach:**
   - Keep the sanitized logging (no signature/apiKey in output)
   - If debugging is needed, log only partial values (e.g., first 8 chars)
   
   This aligns with the principle of least privilege and real-world security 
practices.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to