Valeriy Ak created CAMEL-19477: ---------------------------------- Summary: MeterRegistry collects authorization data Key: CAMEL-19477 URL: https://issues.apache.org/jira/browse/CAMEL-19477 Project: Camel Issue Type: Bug Components: camel-http, camel-micrometer Affects Versions: 3.20.6 Reporter: Valeriy Ak
I found that some part of the metrics, specifically CamelExchangeEventNotifier_seconds_* contain authentication parameters like authUsername and authPassword in the endpoint labels. I believe this is incorrect because it is collected by `MeterRegistry` (PrometheusMeterRegistry in my case) and returned on endpoint /actuator/prometheus (if you are using SpringBoot Actuator as me) as plain text. Therefore, anyone who can access the metrics can also obtain your credentials. Details: Step 1: Create route with http producer {code:java} from("direct:simple") .setHeader(Exchange.HTTP_METHOD, simple("GET")) .to(http("0.0.0.0:34001/stub") .authenticationPreemptive(true) .authMethod("Basic") .authUsername("login") .authPassword("my-super-secret-password"));{code} Step 2: Call this route {code:java} producerTemplate.sendBody("direct:simple", "test"); {code} Step 3: Done. Now CollectorRegistry contains your secrets in labels {code:java} var iterator = prometheusMeterRegistry.getPrometheusRegistry().metricFamilySamples(); Writer writer = new StringWriter(16); //same writer used Spring Boot Actuator TextFormat.write004(writer, iterator); var result = writer.toString();{code} Example: {code:java} CamelExchangeEventNotifier_seconds_max{camelContext=\"camel-1\",endpointName=\"http://0.0.0.0:34001/stub?authUsername=login&authenticationPreemptive=true&authMethod=Basic&authPassword=my-super-secret-password\",eventType=\"ExchangeSentEvent\",failed=\"false\",serviceName=\"MicrometerEventNotifierService\",} 0.222 {code} I have pushed the complete example project - https://github.com/Akvel/example-password-in-metric-key -- This message was sent by Atlassian Jira (v8.20.10#820010)