Kibana: config-schema shouldn't log sensitive data

Created on 26 Feb 2020  路  3Comments  路  Source: elastic/kibana

A customer complains that we config-schema logs sensitive data in the plain text

We provided an invalid encryption key for Kibana 7.6.0 and were surprised to find that when there is an error it logs the encryption key in plain text:
config validation of [xpack.encryptedSavedObjects].encryptionKey]: value is [some_value] but it must have a minimum length of [32].

We need to provide a way to filter out sensitive data. For example, we can mark a key as containing sensitive data to prevent disclosure.

New Platform Core
Source
picture restrry

Most helpful comment

One other option would be to have a convention to never display the actual data value in any error message. It seems there are only very few messages where we do display the raw values. Most messages are like expected value of type [string] but got [${typeDetect(value)}]

The value is [some_value] but it must have a minimum length of [32] could be changed to valuehas length [XX] but it must have a minimum length of [32].

This would avoid introducing a parameter for that, and the risk that a developer actually forget to flag sensitive data validation with it.

picture pgayvallet on 27 Feb 2020
👍4

All 3 comments

Pinging @elastic/kibana-platform (Team:Platform)

elasticmachine picture elasticmachine on 26 Feb 2020

One other option would be to have a convention to never display the actual data value in any error message. It seems there are only very few messages where we do display the raw values. Most messages are like expected value of type [string] but got [${typeDetect(value)}]

The value is [some_value] but it must have a minimum length of [32] could be changed to valuehas length [XX] but it must have a minimum length of [32].

This would avoid introducing a parameter for that, and the risk that a developer actually forget to flag sensitive data validation with it.

pgayvallet picture pgayvallet on 27 Feb 2020
👍4

So, after a 'quick' look, impacted types are:

  • uri

https://github.com/elastic/kibana/blob/790739b41bc468e7b4b534f220358a79398fb05f/packages/kbn-config-schema/src/types/uri_type.ts#L38-L41

  • string

https://github.com/elastic/kibana/blob/7949f34e0c64a90f4eb1879d1c61d116582ffd75/packages/kbn-config-schema/src/types/string_type.ts#L45-L59

https://github.com/elastic/kibana/blob/7949f34e0c64a90f4eb1879d1c61d116582ffd75/packages/kbn-config-schema/src/types/string_type.ts#L68-L69

  • number

https://github.com/elastic/kibana/blob/b2baf32fba2f09b034324489bd0c2bbb21bcb668/packages/kbn-config-schema/src/types/number_type.ts#L48-L51

  • record / object / map

https://github.com/elastic/kibana/blob/c13b0751f30ff46b643ef1bb0f54fe8e869279a4/packages/kbn-config-schema/src/types/record_type.ts#L43-L44

  • literal

https://github.com/elastic/kibana/blob/94b2b83bd7e7f5989ae1d3ae3e977f9375403986/packages/kbn-config-schema/src/types/literal_type.ts#L31-L32

  • byte_size

https://github.com/elastic/kibana/blob/b2baf32fba2f09b034324489bd0c2bbb21bcb668/packages/kbn-config-schema/src/types/byte_size_type.ts#L63-L70

Hiding the actual value in some of these errors will strongly reduce the help the message actually provides (thinking about literal, number, byte_size mostly but all overall). It's probably not that important though. Do we think this is still acceptable to just remove value reference in every of them?

pgayvallet picture pgayvallet on 27 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bhavyarm picture bhavyarm  路  3Comments
bradvido picture bradvido  路  3Comments
ctindel picture ctindel  路  3Comments
treussart picture treussart  路  3Comments
celesteking picture celesteking  路  3Comments