Valeriy Ak created CAMEL-19477:
----------------------------------
Summary: MeterRegistry collects authorization data
Key: CAMEL-19477
URL: https://issues.apache.org/jira/browse/CAMEL-19477
Project: Camel
Issue Type: Bug
Components: camel-http, camel-micrometer
Affects Versions: 3.20.6
Reporter: Valeriy Ak
I found that some part of the metrics, specifically
CamelExchangeEventNotifier_seconds_* contain authentication parameters like
authUsername and authPassword in the endpoint labels.
I believe this is incorrect because it is collected by `MeterRegistry`
(PrometheusMeterRegistry in my case) and returned on endpoint
/actuator/prometheus (if you are using SpringBoot Actuator as me) as plain text.
Therefore, anyone who can access the metrics can also obtain your credentials.
Details:
Step 1: Create route with http producer
{code:java}
from("direct:simple")
.setHeader(Exchange.HTTP_METHOD, simple("GET"))
.to(http("0.0.0.0:34001/stub")
.authenticationPreemptive(true)
.authMethod("Basic")
.authUsername("login")
.authPassword("my-super-secret-password"));{code}
Step 2: Call this route
{code:java}
producerTemplate.sendBody("direct:simple", "test");
{code}
Step 3: Done. Now CollectorRegistry contains your secrets in labels
{code:java}
var iterator =
prometheusMeterRegistry.getPrometheusRegistry().metricFamilySamples();
Writer writer = new StringWriter(16);
//same writer used Spring Boot Actuator
TextFormat.write004(writer, iterator);
var result = writer.toString();{code}
Example:
{code:java}
CamelExchangeEventNotifier_seconds_max{camelContext=\"camel-1\",endpointName=\"http://0.0.0.0:34001/stub?authUsername=login&authenticationPreemptive=true&authMethod=Basic&authPassword=my-super-secret-password\",eventType=\"ExchangeSentEvent\",failed=\"false\",serviceName=\"MicrometerEventNotifierService\",}
0.222
{code}
I have pushed the complete example project -
https://github.com/Akvel/example-password-in-metric-key
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
