fix: password log leak in RabbitMQ bridge

This fixes a vulnerability in the RabbitMQ bridge, which could potentially expose passwords to log files. This was accomplished by initializing the encryption library specifically designed for RabbitMQ's passwords. Consequently, passwords are no longer stored in unencrypted format. As a result, they will no longer be visible as plain text in log messages, thereby enhancing the system's security. Fixes: https://emqx.atlassian.net/browse/EMQX-9976
2023-05-30 12:22:21 +02:00 · 2023-05-30 12:22:21 +02:00 · a4fcc0dcb3
parent 75fcac9711
commit a4fcc0dcb3
3 changed files with 14 additions and 2 deletions
--- a/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq.app.src
+++ b/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq.app.src
@ -1,6 +1,6 @@
 {application, emqx_bridge_rabbitmq, [
    {description, "EMQX Enterprise RabbitMQ Bridge"},
-    {vsn, "0.1.1"},
+    {vsn, "0.1.2"},
    {registered, []},
    {applications, [kernel, stdlib, ecql, rabbit_common, amqp_client]},
    {env, []},
--- a/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq_connector.erl
+++ b/apps/emqx_bridge_rabbitmq/src/emqx_bridge_rabbitmq_connector.erl
@ -13,6 +13,7 @@

 %% Needed to create RabbitMQ connection
 -include_lib("amqp_client/include/amqp_client.hrl").
+-include_lib("credentials_obfuscation/include/credentials_obfuscation.hrl").

 -behaviour(emqx_resource).
 -behaviour(hocon_schema).
@ -230,6 +231,17 @@ on_start(
        processed_payload_template => ProcessedTemplate,
        config => Config
    },
+    %% Initialize RabbitMQ's secret library so that the password is encrypted
+    %% in the log files.
+    case credentials_obfuscation:secret() of
+        ?PENDING_SECRET ->
+            Bytes = crypto:strong_rand_bytes(128),
+            %% The password can appear in log files if we don't do this
+            credentials_obfuscation:set_secret(Bytes);
+        _ ->
+            %% Already initialized
+            ok
+    end,
    case emqx_resource_pool:start(InstanceID, ?MODULE, Options) of
        ok ->
            {ok, State};
--- a/apps/emqx_rule_engine/src/emqx_rule_engine.app.src
+++ b/apps/emqx_rule_engine/src/emqx_rule_engine.app.src
@ -2,7 +2,7 @@
 {application, emqx_rule_engine, [
    {description, "EMQX Rule Engine"},
    % strict semver, bump manually!
-    {vsn, "5.0.18"},
+    {vsn, "5.0.19"},
    {modules, []},
    {registered, [emqx_rule_engine_sup, emqx_rule_engine]},
    {applications, [kernel, stdlib, rulesql, getopt, emqx_ctl]},