Thomas Holmes created KAFKA-5117:
------------------------------------
Summary: Kafka Connect REST endpoints reveal Password typed values
Key: KAFKA-5117
URL: https://issues.apache.org/jira/browse/KAFKA-5117
Project: Kafka
Issue Type: Bug
Components: KafkaConnect
Affects Versions: 0.10.2.0
Reporter: Thomas Holmes
A Kafka Connect connector can specify ConfigDef keys as type of Password. This
type was added to prevent logging the values (instead "[hidden]" is logged).
This change does not apply to the values returned by executing a GET on
{{connectors/\{connector-name\}}} and {{connectors/{connector-name}/config}}.
This creates an easily accessible way for an attacker who has infiltrated your
network to gain access to potential secrets that should not be available.
I have started on a code change that addresses this issue by parsing the config
values through the ConfigDef for the connector and returning their output
instead (which leads to the masking of Password typed configs as [hidden]).
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
