Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[actions] ensure connector URLs do not have auth info embedded in the URL #96236

Open
pmuellr opened this issue Apr 5, 2021 · 2 comments
Open

[actions] ensure connector URLs do not have auth info embedded in the URL #96236

pmuellr opened this issue Apr 5, 2021 · 2 comments
Labels
connectivity Issues relating to connectivity between Kibana and external services estimate:needs-research Estimated as too large and requires research to break down into workable issues Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework Feature:Actions Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@pmuellr
Copy link
Member

pmuellr commented Apr 5, 2021

From a comment in PR 95365, it was noted that we should not allow customers to associate URLs that have embedded auth info in them, where we currently allow URLs.

For example, the url https://elastic:[email protected] contains an embedded userid / password of elastic / changeme. Allowing customers to enter this auth info means the URLs will end up containing sensitive information, and these fields are currently not encrypted like other "secrets" used in connectors.

Any connector that can handle (or requires) userid / password values already has these available as separate, encrypted fields, so there should be no loss of function when making this restriction.

I believe this affects the following connectors:

  • jira
  • resilient
  • servicenow
  • pagerduty
  • teams
  • webhook

It specifically does not affect slack, or is different, because the slack url contains an authentication token in the path, and is already stored encrypted. But I guess we should probably disallow using the embedded userid / password even in this case, just to standardize this restriction across the connectors.
@pmuellr pmuellr added Feature:Actions Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Apr 5, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@pmuellr pmuellr mentioned this issue Apr 5, 2021
Merged
9 tasks
@pmuellr
Copy link
Member Author

pmuellr commented Apr 7, 2021

In addition to connectors, there are some config keys that are URLs (eg, proxy), and those should likewise be checked for auth info.

@gmmorris gmmorris added the Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework label Jul 1, 2021
@gmmorris gmmorris added the loe:needs-research This issue requires some research before it can be worked on or estimated label Jul 15, 2021
@gmmorris gmmorris added connectivity Issues relating to connectivity between Kibana and external services estimate:needs-research Estimated as too large and requires research to break down into workable issues labels Aug 13, 2021
@gmmorris gmmorris removed the loe:needs-research This issue requires some research before it can be worked on or estimated label Sep 2, 2021
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
@mikecote mikecote mentioned this issue Feb 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
connectivity Issues relating to connectivity between Kibana and external services estimate:needs-research Estimated as too large and requires research to break down into workable issues Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework Feature:Actions Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pmuellr @gmmorris @kobelb @mikecote @elasticmachine