Security: API Request Parameters Logged Without Credential Masking in ApiServer #11987
Description
Description:
Summary
The ApiServer.handleRequest() method logs all API request parameters at TRACE level without sanitizing sensitive credentials, leading to exposure of passwords, secret keys, and authentication tokens in log files.
Vulnerability Details
Location
- File:
server/src/main/java/com/cloud/api/ApiServer.java - Method:
handleRequest() - Specific Line:
Issue Description
When a command is missing or during request processing, the method emits every request parameter and its value at TRACE log level without any sanitization. This includes sensitive fields such as:
password(e.g., fromDefaultResetPasswordAPIAuthenticatorCmdand other authentication commands)secretkey(API secret keys)apikey(API keys)- Authentication tokens
- Any other caller-supplied credentials
Impact: All sensitive credentials passed through API requests are logged in plaintext, making them accessible through:
- Log files on disk
- Centralized logging systems
- Log aggregation platforms
- System monitoring tools
Recommended Fix
Mask Sensitive Fields Before Logging
Use existing utility methods to sanitize parameters before logging:
// Use StringUtils.cleanString() combined with explicit field scrubbing
Map<String, Object> sanitizedParams = new HashMap<>(params);
List<String> sensitiveFields = Arrays.asList("password", "secretkey", "apikey", "token", "sessionkey");
for (String field : sensitiveFields) {
if (sanitizedParams.containsKey(field)) {
sanitizedParams.put(field, "******");
}
}
// Log sanitized parameters
LOGGER.trace("Request parameters: {}", sanitizedParams);References
- OWASP Logging Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
- CWE-532: https://cwe.mitre.org/data/definitions/532.html
- PCI-DSS Requirement 3.4: Render PAN unreadable (applies to all sensitive data)