From c5eb09a72f65a963aa72bbc9d03720f159ec7620 Mon Sep 17 00:00:00 2001 From: firest Date: Mon, 4 Mar 2024 20:36:01 +0800 Subject: [PATCH 1/2] fix(http): fix that sensitive headers may be printed in log when querying --- apps/emqx_bridge_http/src/emqx_bridge_http_connector.erl | 4 ++-- apps/emqx_utils/src/emqx_utils_redact.erl | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/apps/emqx_bridge_http/src/emqx_bridge_http_connector.erl b/apps/emqx_bridge_http/src/emqx_bridge_http_connector.erl index 88449251c..7b12d0e55 100644 --- a/apps/emqx_bridge_http/src/emqx_bridge_http_connector.erl +++ b/apps/emqx_bridge_http/src/emqx_bridge_http_connector.erl @@ -861,9 +861,9 @@ redact(Data) -> %% and we also can't know the body format and where the sensitive data will be %% so the easy way to keep data security is redacted the whole body redact_request({Path, Headers}) -> - {Path, redact(Headers)}; + {Path, emqx_utils_redact:redact_headers(Headers)}; redact_request({Path, Headers, _Body}) -> - {Path, redact(Headers), <<"******">>}. + {Path, emqx_utils_redact:redact_headers(Headers), <<"******">>}. clientid(Msg) -> maps:get(clientid, Msg, undefined). diff --git a/apps/emqx_utils/src/emqx_utils_redact.erl b/apps/emqx_utils/src/emqx_utils_redact.erl index 698d631e9..4d3cc7f7b 100644 --- a/apps/emqx_utils/src/emqx_utils_redact.erl +++ b/apps/emqx_utils/src/emqx_utils_redact.erl @@ -16,7 +16,7 @@ -module(emqx_utils_redact). --export([redact/1, redact/2, is_redacted/2, is_redacted/3]). +-export([redact/1, redact/2, redact_headers/1, is_redacted/2, is_redacted/3]). -export([deobfuscate/2]). -define(REDACT_VAL, "******"). @@ -62,6 +62,9 @@ redact(Term, Checker) -> is_sensitive_key(V) orelse Checker(V) end). +redact_headers(Term) -> + do_redact_headers(Term). + do_redact(L, Checker) when is_list(L) -> lists:map(fun(E) -> do_redact(E, Checker) end, L); do_redact(M, Checker) when is_map(M) -> @@ -128,7 +131,7 @@ do_redact_headers(Value) -> Value. check_is_sensitive_header(Key) -> - Key1 = emqx_utils_conv:str(Key), + Key1 = string:trim(emqx_utils_conv:str(Key)), is_sensitive_header(string:lowercase(Key1)). is_sensitive_header("authorization") -> From 7780b4f1d745f8ef90e45a8ccb8f96e1d56e5fbc Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 29 Feb 2024 10:26:52 +0100 Subject: [PATCH 2/2] chore: prepare 5.5.1 release --- apps/emqx/include/emqx_release.hrl | 4 ++-- changes/e5.5.1.en.md | 29 ++++++++++++++++++++++++ changes/v5.5.1.en.md | 21 +++++++++++++++++ deploy/charts/emqx-enterprise/Chart.yaml | 4 ++-- deploy/charts/emqx/Chart.yaml | 4 ++-- 5 files changed, 56 insertions(+), 6 deletions(-) create mode 100644 changes/e5.5.1.en.md create mode 100644 changes/v5.5.1.en.md diff --git a/apps/emqx/include/emqx_release.hrl b/apps/emqx/include/emqx_release.hrl index 2c687cd48..d35df9c92 100644 --- a/apps/emqx/include/emqx_release.hrl +++ b/apps/emqx/include/emqx_release.hrl @@ -32,10 +32,10 @@ %% `apps/emqx/src/bpapi/README.md' %% Opensource edition --define(EMQX_RELEASE_CE, "5.5.1-rc.2"). +-define(EMQX_RELEASE_CE, "5.5.1"). %% Enterprise edition --define(EMQX_RELEASE_EE, "5.5.1-rc.2"). +-define(EMQX_RELEASE_EE, "5.5.1"). %% The HTTP API version -define(EMQX_API_VERSION, "5.0"). diff --git a/changes/e5.5.1.en.md b/changes/e5.5.1.en.md new file mode 100644 index 000000000..a0772bbf1 --- /dev/null +++ b/changes/e5.5.1.en.md @@ -0,0 +1,29 @@ +# 5.5.1 + +## Enhancements + +- [#12497](https://github.com/emqx/emqx/pull/12497) Improved MongoDB connector performance, resulting in more efficient database interactions. This enhancement is supported by improvements in the MongoDB Erlang driver as well ([mongodb-erlang PR](https://github.com/emqx/mongodb-erlang/pull/41)). + +## Bug Fixes + +- [#12471](https://github.com/emqx/emqx/pull/12471) Fixed an issue that data integration configurations failed to load correctly during upgrades from EMQX version 5.0.2 to newer releases. + +- [#12542](https://github.com/emqx/emqx/pull/12542) Redacted authorization headers to exclude basic authorization credentials from debug logs in the HTTP Server connector, mitigating potential security risks. + +- [#12598](https://github.com/emqx/emqx/pull/12598) Fixed an issue that users were unable to subscribe to or unsubscribe from shared topic filters via HTTP API. + + The affected APIs include: + + - `/clients/:clientid/subscribe` + - `/clients/:clientid/subscribe/bulk` + + - `/clients/:clientid/unsubscribe` + - `/clients/:clientid/unsubscribe/bulk` + +- [#12601](https://github.com/emqx/emqx/pull/12601) Fixed an issue where logs of the LDAP driver were not being captured. Now, all logs are recorded at the `info` level. + +- [#12606](https://github.com/emqx/emqx/pull/12606) The Prometheus API experienced crashes when the specified SSL certificate file did not exist in the given path. Now, when an SSL certificate file is missing, the `emqx_cert_expiry_at` metric will report a value of 0, indicating the non-existence of the certificate. + +- [#12608](https://github.com/emqx/emqx/pull/12608) Fixed a `function_clause` error in the IoTDB action caused by the absence of a `payload` field in query data. + +- [#12610](https://github.com/emqx/emqx/pull/12610) Fixed an issue where connections to the LDAP connector could unexpectedly disconnect after a certain period of time. diff --git a/changes/v5.5.1.en.md b/changes/v5.5.1.en.md new file mode 100644 index 000000000..8b5c0716d --- /dev/null +++ b/changes/v5.5.1.en.md @@ -0,0 +1,21 @@ +# 5.5.1 + +## Bug Fixes + +- [#12471](https://github.com/emqx/emqx/pull/12471) Fixed an issue that data integration configurations failed to load correctly during upgrades from EMQX version 5.0.2 to newer releases. + +- [#12542](https://github.com/emqx/emqx/pull/12542) Redacted authorization headers to exclude basic authorization credentials from debug logs in the HTTP Server connector, mitigating potential security risks. + +- [#12598](https://github.com/emqx/emqx/pull/12598) Fixed an issue that users were unable to subscribe to or unsubscribe from shared topic filters via HTTP API. + + The affected APIs include: + + - `/clients/:clientid/subscribe` + - `/clients/:clientid/subscribe/bulk` + + - `/clients/:clientid/unsubscribe` + - `/clients/:clientid/unsubscribe/bulk` + +- [#12601](https://github.com/emqx/emqx/pull/12601) Fixed an issue where logs of the LDAP driver were not being captured. Now, all logs are recorded at the `info` level. + +- [#12606](https://github.com/emqx/emqx/pull/12606) The Prometheus API experienced crashes when the specified SSL certificate file did not exist in the given path. Now, when an SSL certificate file is missing, the `emqx_cert_expiry_at` metric will report a value of 0, indicating the non-existence of the certificate. diff --git a/deploy/charts/emqx-enterprise/Chart.yaml b/deploy/charts/emqx-enterprise/Chart.yaml index c1fbef623..014a37fd6 100644 --- a/deploy/charts/emqx-enterprise/Chart.yaml +++ b/deploy/charts/emqx-enterprise/Chart.yaml @@ -14,8 +14,8 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 5.5.1-rc.2 +version: 5.5.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 5.5.1-rc.2 +appVersion: 5.5.1 diff --git a/deploy/charts/emqx/Chart.yaml b/deploy/charts/emqx/Chart.yaml index 3b0a12d3b..8b60276ed 100644 --- a/deploy/charts/emqx/Chart.yaml +++ b/deploy/charts/emqx/Chart.yaml @@ -14,8 +14,8 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 5.5.1-rc.2 +version: 5.5.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 5.5.1-rc.2 +appVersion: 5.5.1