Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DB Credentials Leak When Using AlloyDB #2795

Open
pvpablo opened this issue Nov 13, 2024 · 1 comment
Open

DB Credentials Leak When Using AlloyDB #2795

pvpablo opened this issue Nov 13, 2024 · 1 comment
Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: security

Comments

@pvpablo
Copy link

pvpablo commented Nov 13, 2024

Describe the bug

When using AlloyDB, credentials are leaked through error logging in the frontend.

To Reproduce

  1. Add an item to cart (say, Tank Top, qty=1)
  2. Go back and add the same item again (Tank Top, qty=2)
  3. An error page is displayed
  4. The error lists DB credentials in plain text

Logs

rpc error: code = FailedPrecondition desc = Can't access cart storage at Host=PRIVATE_IP;Username=USER;Password=PASSWORD;Database=carts. Npgsql.PostgresException (0x80004005): 23505: duplicate key value violates unique constraint "cart_items_pkey"

Environment

Frontend, Chrome Browser

Exposure

Persistent
@bourgeoisor
Copy link
Member

Good catch.

This is the line where the log comes from:

microservices-demo/src/cartservice/src/cartstore/AlloyDBCartStore.cs

Line 92 in b0ee845

new Status(StatusCode.FailedPrecondition, $"Can't access cart storage at {connectionString}. {ex}"));

@bourgeoisor bourgeoisor added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: security labels Nov 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bourgeoisor @pvpablo