zeppelin git commit: [ZEPPELIN-2733] Remove System Information Leak in Authentication.java.

Sun, 09 Jul 2017 21:04:28 -0700 

Repository: zeppelin
Updated Branches:
  refs/heads/master 33eb08be7 -> ad3138385


[ZEPPELIN-2733] Remove System Information Leak in Authentication.java.

### What is this PR for?
An information leak occurs when system data or debugging information leaves the 
program through an output stream or logging function.
In the file Authentication.java,
```
Line 137: LOG.debug("Encrypted user key is {}", userKey);
Line 148: LOG.debug("IV is {}, IV length is {}", initVector, 
initVector.length());
```
These lines may print information which can reveal some important data to user 
making it vulnerable to attacks, we should not log this sensitive information.

### What type of PR is it?
[Improvement]

### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2733

### How should this be tested?
Existing tests.

### Screenshots (if appropriate)

### Questions:
* Does the licenses files need update? - No
* Is there breaking changes for older versions? - No
* Does this needs documentation? - No

Author: Yanbo Liang <yblia...@gmail.com>

Closes #2468 from yanboliang/zeppelin-2733 and squashes the following commits:

ce485ae [Yanbo Liang] Remove System Information Leak in Authentication.java.


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/ad313838
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/ad313838
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/ad313838

Branch: refs/heads/master
Commit: ad3138385350e62e7a612f2237519441e1adbf84
Parents: 33eb08b
Author: Yanbo Liang <yblia...@gmail.com>
Authored: Thu Jul 6 14:31:15 2017 +0800
Committer: Lee moon soo <m...@apache.org>
Committed: Mon Jul 10 13:03:40 2017 +0900

----------------------------------------------------------------------
 .../notebook/repo/zeppelinhub/security/Authentication.java         | 2 --
 1 file changed, 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/ad313838/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
----------------------------------------------------------------------
diff --git 
a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
 
b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
index 4b8b42d..76968e4 100644
--- 
a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
+++ 
b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
@@ -134,7 +134,6 @@ public class Authentication implements Runnable {
 
   // returns login:password
   private String getAuthKey(String userKey) {
-    LOG.debug("Encrypted user key is {}", userKey);
     if (StringUtils.isBlank(userKey)) {
       LOG.warn("ZEPPELINHUB_USER_KEY is blank");
       return StringUtils.EMPTY;
@@ -145,7 +144,6 @@ public class Authentication implements Runnable {
   }
 
   private String decrypt(String value, String initVector) {
-    LOG.debug("IV is {}, IV length is {}", initVector, initVector.length());
     if (StringUtils.isBlank(value) || StringUtils.isBlank(initVector)) {
       LOG.error("String to decode or salt is not provided");
       return StringUtils.EMPTY;

Reply via email to