Username and Password is getting printed in Access logs of SonarQube

Hello All,

Basically we have developed on Sonar_exporter for scraping sonar metrics such as projects,QualityProfiles,QualityGates, Resource information to prometheus using Python code.

We are using several Web-apis to get the sonar metrics using python.
So sequence api is like,

  1. we do login first through authentication api
    2 then perform operation using projects/QPs/QGs webapis
  2. at last logs out

above instruction executes in circle and to scrape data to prometheus.

But it is found that username and password are getting printed in log line when authentication api hits to sonarqube. it is not masking that part.

any idea why it is not working , because it may leads to security breach and we have to implement sonar qube exporter for out use case.

Please help us with this.

SonarQube Version : 7.9.6

Thanks and regards,
Rahul Salunke

1 Like

Hi,

Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

xxx → 7.9.6 → 8.9.2 → 9.1 (last step optional)

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes helpful. If you have questions about upgrading, feel free to open a new thread for that here.

If you still have a problem after upgrade, please come back to us with the details.

 
Ann

Hi Ann,

I tried with Version 8.9.2, but still issue it there.
Any help will be appreciated.

Thanks

Hi,

Thanks for upgrading and re-testing.

I’ve just tried to simulate this a little via my browser (too lazy to write a script) and I’m not seeing credentials in my access logs. Can you provide more details? When you say

What exactly do you mean?

BTW, GitHub search has just helped me find this line in a file named TomcatAccessLog.java in the SonarQube repo:

private static final String DEFAULT_SQ_ACCESS_LOG_PATTERN = "%h %l %u [%t] \"%r\" %s %b \"%i{Referer}\" \"%i{User-Agent}\" \"%reqAttribute{ID}\"";

And I’ve matched this pattern up to what I’m seeing in my own localhost logs, so I think I’ve found the right thing. Could you identify, please, where in this pattern you’re seeing the problematic values?

Based on the Tomcat docs I it loos like the 2nd parameter is “remote logical username” but according to those same docs, it

(always returns ‘-’)

So that shouldn’t be a problem.
Then the third parameter is “Remote user that was authenticated (if any), else ‘-’”. Is that the problem?

 
Ann

HI Ann,

You are right, when we simulate login mechanism through browser, it doesn’t print any user information in log line:

x.x.x.x - - [29/Sep/2021:05:38:13 +0000] "POST /api/authentication/login HTTP/1.1" 200 - "https://sonar.something.com/sessions/new?return_to=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31" "AXwqoNt3ioPTiwdakjdasdk"

But when go for same login thorugh python:

  def login(self):
        url = self.server + '/api/authentication/login'
        params = {
            'login': self.auth[0],
            'password': self.auth[1]
        }
        self.do_post(
            url=url,
            params=params
        )

It prints user information in log line:

x.x.x.x - - [29/Sep/2021:05:41:33 +0000] "POST /api/authentication/login?login=admin&password=******** HTTP/1.1" 200 - "-" "python-requests/2.21.0" "AXwqoNt3ioPTiwJfAAAX"

Hi @rsalunke1996 ,

please try to use http basic auth when working with the API. The login endpoint should not be needed in that way. Let me try to give you an example:

import json
from pprint import pprint
import requests

FQDN = 'https:/sonarqube.your-instance.com'
API_PATH = '/api/favorites/search'

response = requests.get(FQDN+API_PATH, auth=('YOUR API TOKEN GOES HERE', ''))

if response.ok:
    data = json.loads(response.text)
    pprint(data)
else:
    raise Exception(response)

hope that helps :slight_smile:

1 Like

HI Tobias,

import json
from pprint import pprint
import requests

FQDN = 'https:/sonarqube.your-instance.com'
API_PATH = '/api/authentication/login'

response = requests.get(FQDN+API_PATH, auth=('YOUR API TOKEN GOES HERE', ''))

if response.ok:
    data = json.loads(response.text)
    pprint(data)
else:
    raise Exception(response)

I want to try token with login api, that isn’t supported.
can you help me in this.

no. as already stated this is not the right way to go and is not supported. the login endpoint is only used for the frontend of sonarqube and should not be used for scripting purposes against the api.
you can call any endpoint that requires authentication in a similar way as in the example that i shared with you.