HMAC Signatures and API Keys Logged in Plaintext Across Authentication Components

[YLChen-007]

HMAC Signatures and API Keys Logged in Plaintext Across Authentication Components #11988

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md)
Here are some useful points:

• In case of a new feature add useful documentation (raise doc PR at https://github.com/apache/cloudstack-documentation)
• Be patient and persistent. It might take some time to get a review or get the final approval from the committers.
• Pay attention to the quality of your code, ensure tests are passing and your PR doesn't have conflicts.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Issues, Mailing list and Slack.
• Be sure to read the CloudStack Coding Conventions.
  Apache CloudStack is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: [email protected] (https://cloudstack.apache.org/mailing-lists.html)
  Slack: https://apachecloudstack.slack.com/

[DaanHoogland]

thanks for picking this up @YLChen-007. some comments but clgtm.

[DaanHoogland]

Suggested change

	logger.info("Running com.cloud.consoleproxy.ConsoleProxy with encryptor password={}", "******");
	logger.info("Running com.cloud.consoleproxy.ConsoleProxy with encryptor password=******");

[DaanHoogland]

why do you consider this one harmful? if so, this is going over the connection as well. The apikey should not be a secret and the signature is generated from the apikey and the secretkey so should not give any information.

[YLChen-007]

@DaanHoogland Thank you for the feedback. While I agree that HMAC signatures are
cryptographically secure, I believe logging them still poses security risks:

Key concerns:

1. Log files ≠ Network transmission: Logs are persistent, often stored in plaintext, and accessible to more parties (developers, ops, log aggregation systems) than encrypted HTTPS traffic.

2. Replay attack window: If logs are compromised during the signature's validity period, attackers could potentially replay the request.

3. API Key enumeration: Logging API Keys reveals which accounts exist, enabling targeted attacks and violating information disclosure principles.

4. Compliance & Best Practice: OWASP and security standards recommend against logging authentication credentials, even derived ones like signatures.

5. Defense in depth: Even if theoretically safe, removing sensitive data from logs reduces attack surface at minimal cost.

Suggested approach:

• Keep the sanitized logging (no signature/apiKey in output)
• If debugging is needed, log only partial values (e.g., first 8 chars)

This aligns with the principle of least privilege and real-world security practices.

[DaanHoogland]

ok, @YLChen-007 makes sense.

[DaanHoogland]

one more remark @YLChen-007 , could you rebase this on the 4.20 branch? It seems applicable to all versions. We usually merge forward from the oldest still supported branch so it will be in 20.3, 22.1 and 23 releases.

[YLChen-007]

one more remark @YLChen-007 , could you rebase this on the 4.20 branch? It seems applicable to all versions. We usually merge forward from the oldest still supported branch so it will be in 20.3, 22.1 and 23 releases.

@DaanHoogland Sure, I'll rebase this PR onto the 4.20 branch.
Give me a moment to update it.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.58%. Comparing base (a50de02) to head (a98887b).

❗ There is a different number of reports uploaded between BASE (a50de02) and HEAD (a98887b). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (a50de02)	HEAD (a98887b)
unittests	1	0

Additional details and impacted files

@@              Coverage Diff              @@
##               main   #12006       +/-   ##
=============================================
- Coverage     17.56%    3.58%   -13.98%     
=============================================
  Files          5909      445     -5464     
  Lines        529059    37534   -491525     
  Branches      64617     6901    -57716     
=============================================
- Hits          92919     1346    -91573     
+ Misses       425687    36024   -389663     
+ Partials      10453      164    -10289     

Flag	Coverage Δ
uitests	3.58% <ø> (ø)
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DaanHoogland]

one more remark @YLChen-007 , could you rebase this on the 4.20 branch? It seems applicable to all versions. We usually merge forward from the oldest still supported branch so it will be in 20.3, 22.1 and 23 releases.

@DaanHoogland Sure, I'll rebase this PR onto the 4.20 branch. Give me a moment to update it.

Thanks @YLChen-007 , the linter had some complaints about trailing spaces. Please take those into account as well.

The rebasing can be considered for all you recent contributions, btw.