Exposed sensitive data in debug probe, recent probe logs, and config endpoint

Question

Exposed sensitive data in debug probe, recent probe logs, and config endpoint

Maros112358 opened this issue a year ago · 1 comments

I have sensitive data in my TCP probe like this:

    my_tcp_probe:
      prober: tcp
      timeout: 5s
      tcp:
        query_response:
        - expect: "220"
        - send: "USER my_username\r"
        - expect: "331"
        - send: "PASS sensitive_data_here"
        - expect: "230"
        - send: "QUIT\r"
        - expect: "221"

I set --log.level=error, but someone can still access my sensitive data by visiting /config or /probe?debug=true....

I would like to hide my sensitive data from these endpoints. Some ideas:

flag config.hide will turn off /config
flag probe.no-debug will not allow query parameter debug=true to be used
flag secure will run blackbox-exporter in mode with only /probe endpoint without option debug=true

EDIT: Setting history.limit=0 solves the problem with /logs

Answer 1 · 2023-09-26T19:15:02.000Z

I set --log.level=error, but someone can still access my sensitive data by visiting /config or /probe?debug=true....

you can configure TLS and basic authentication to secure HTTP endpoints.

I am going to close this because we have a way to secure these endpoints, if you need additinal secuity we recommend using other methods to secure your blackbox_exporter installation :)