Skip to content

[Security] DefaultStreamLoader is exposing sensitive information #415

New issue
New issue
Open
#416
Open
[Security] DefaultStreamLoader is exposing sensitive information#415
#416
@fabrizziocht

Description

@fabrizziocht
fabrizziocht
opened on Mar 1, 2025

Hello! I was debugging the logs emited by the connector and I found that the class DefaultStreamLoader exposes sensitive information like the username and password used to connect to starrocks during the loadstream process.

https://github.com/StarRocks/starrocks-connector-for-apache-flink/blob/main/starrocks-stream-load-sdk/src/main/java/com/starrocks/data/load/stream/DefaultStreamLoader.java#L131

public void start(StreamLoadProperties properties, StreamLoadManager manager) {
        if (start.compareAndSet(false, true)) {
            // previous code
           // ....
           // the last line contains the next messge:
            log.info("Default Stream Loader start, properties : {}, defaultHeaders : {}",
                    propertiesStr, headerStr);
        }
    }

The defaultHeaders is printing sensitive information , this is a sample of the collected log:
Default Stream Loader start, properties : {"jdbcUrl":"jdbc:mysql://my-starrocks-service:9030","loadUrls":["http://my-starrocks-service:8030","http://my-starrocks-service:8030"],"username":"my-user","version":"3.1.17-67ae3b7","starRocksVersion":{"major":3,"minor":1,"patch":17},"labelPrefix":null,"defaultTableProperties":{"uniqueKey":"mydb.mytable","database":"mydb","table":"mytable","dataFormat":"JsonFormat{first=[, delimiter=,, end=]}","tableProperties":{},"properties":{"db":"mydb","table":"mytable"},"enableUpsertDelete":true,"chunkLimit":3221225472,"maxBufferRows":2147483647,"columns":null,"commonProperties":{"format":"json"}},"tablePropertiesMap":{},"enableTransaction":true,"scanningFrequency":50,"maxCacheBytes":94371840,"expectDelayTime":300000,"connectTimeout":30000,"socketTimeout":-1,"waitForContinueTimeoutMs":30000,"ioThreadCount":2,"writingThreshold":50,"regionBufferRatio":0.6,"youngThreshold":0.1,"oldThreshold":0.9,"maxRetries":0,"retryIntervalInMs":10000,"headers":{"format":"json","strip_outer_array":"true","ignore_json_size":"true"},"opAutoProjectionInJson":true}, defaultHeaders : [{"name":"format","value":"json","elements":[{"name":"json","value":null,"parameters":[],"parameterCount":0}]},{"name":"Authorization","value":"Basic bXktdXNlcjpteS1wYXNzd29yZA==","elements":[{"name":"Basic bXktdXNlcjpteS1wYXNzd29yZA","value":"=","parameters":[],"parameterCount":0}]},{"name":"strip_outer_array","value":"true","elements":[{"name":"true","value":null,"parameters":[],"parameterCount":0}]},{"name":"Expect","value":"100-continue","elements":[{"name":"100-continue","value":null,"parameters":[],"parameterCount":0}]},{"name":"ignore_json_size","value":"true","elements":[{"name":"true","value":null,"parameters":[],"parameterCount":0}]},{"name":"timeout","value":"600","elements":[{"name":"600","value":null,"parameters":[],"parameterCount":0}]}]

It is super easy to transform the Authorization value from base64 to a plain text and get the password!, what if simple remove this log or change the shown data? other posible option can be become a debug log, not info.

Regards,
Fabri

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions