Artifactory 在调试模式下解密密码

发布于 2025-01-20 20:42:55 字数 1435 浏览 2 评论 0原文

设置：
Artifactory 7.33.12 带有专业许可证
（卫星直通多个Artifactory）
Ubuntu 20.04 LTS

我使用 logback.xml 将所有工件切换到调试模式。我将 level:info 或 level:warn 的所有条目更改为 level:debug

在这些更改之后，artifactory 服务器已开始立即以明文形式显示密码：我们有本地和 ldap 用户

日志被截断：

2022-04-04T10:46:57.758Z [jfrt ] [DEBUG] [bf2d7f554f68c503] [o.a.h.wire:87                 ] [ttp-nio-8080-exec-75] - http-outgoing-145231 >> "{"username":"username1","password":"plaintext"}"
2022-04-04T10:00:59.763Z [jfrt ] [DEBUG] [e227b7e38f035f2b] [o.a.h.wire:87                 ] [tp-nio-8080-exec-150] - http-outgoing-143844 >> "{"username":"username2","password":"plaintext"}"

如果用户输入错误密码（登录失败），则始终会生成明文密码该密码随后以明文形式存在于人工日志中。我立即将 logback.xml 切换为 level: warn 和 info 并且密码再次加密。以下日志消息看起来很奇怪：

./router-request.log:{"BackendAddr":"localhost:8040","ClientAddr":"127.0.0.1:38458","DownstreamContentSize":216532,"DownstreamStatus":200,"Duration":164389727,"RequestMethod":"GET","RequestPath":"/access/api/v1/users/?expand=passwords\u0026expand=encryptedData","StartUTC":"2022-04-08T09:52:53.86050316Z","level":"info","msg":"","request_Uber-Trace-Id":"28f3f17dc93f35c6:1b30ff214f5c8529:178287af7a330c6e:0","request_User-Agent":"JFrog Access Java Client/7.35.0 73500900  Artifactory/7.33.12 73312900","time":"2022-04-08T11:52:54+02:00"}

有人知道为什么会发生这种情况吗？这是一个错误吗？我不敢相信这是故意的行为。生产系统无法以明文形式显示密码。

有人有主意吗？
请帮忙

原文

Setup:
Artifactory 7.33.12 with pro license
(satellite pass-though multiple Artifactorys)
Ubuntu 20.04 LTS

i switched all my artifactories to debug mode with logback.xml.
I changed all entries with level:info or with level:warn to level:debug

After these changes the artifactory server have began
right away to show passwords in plaintext: We have local and ldap user

Log snipped:

2022-04-04T10:46:57.758Z [jfrt ] [DEBUG] [bf2d7f554f68c503] [o.a.h.wire:87                 ] [ttp-nio-8080-exec-75] - http-outgoing-145231 >> "{"username":"username1","password":"plaintext"}"
2022-04-04T10:00:59.763Z [jfrt ] [DEBUG] [e227b7e38f035f2b] [o.a.h.wire:87                 ] [tp-nio-8080-exec-150] - http-outgoing-143844 >> "{"username":"username2","password":"plaintext"}"

The plaintext passwords was generated always if a user entered a wrong password (failed login)
this password was then in the artifactory logs in plaintext.
I switched immediately the logback.xml to level: warn and info and the passwords was encrypted again. Following log message looks weird:

./router-request.log:{"BackendAddr":"localhost:8040","ClientAddr":"127.0.0.1:38458","DownstreamContentSize":216532,"DownstreamStatus":200,"Duration":164389727,"RequestMethod":"GET","RequestPath":"/access/api/v1/users/?expand=passwords\u0026expand=encryptedData","StartUTC":"2022-04-08T09:52:53.86050316Z","level":"info","msg":"","request_Uber-Trace-Id":"28f3f17dc93f35c6:1b30ff214f5c8529:178287af7a330c6e:0","request_User-Agent":"JFrog Access Java Client/7.35.0 73500900  Artifactory/7.33.12 73312900","time":"2022-04-08T11:52:54+02:00"}

Did anyone know why this happened? Is that a bug?
I cant believe that was a intended behavior.
A production system can not display passwords in plaintext.

Anyone a Idea?
Please help

分享到QQ

分享到微博