Spring WebFlux request id should not contain internal IPs

Affects: since Release v5.3.5 up to curent v5.3.14 via commit 1ef8cad of issue #26649

If for some reason the production system must be temporarily running at the DEBUG level, there might be a security issue.

If a gateway error occurs in that time while the gateway communicating with the backend server, the API response additionally contains the local IP and remote IP. Thus we are exposing network details to the outside world, which should not be done.

{"timestamp":1641298126366,"path":"/api/endpoint","status":504,"error":"Gateway Timeout","requestId":"b35a8d76-10, L:/10.1.50.20:8080 - R:/10.1.50.10:45686"}

The extended log file information is fine for me, there I see the IPs. It's just the API response with too much private details.

As an attacker I obtain details about two systems: 10.1.50.20 == internal gateway IP 10.1.50.10 == internal TLS-Endpoint IP in front of the gateway, not the public one The attacker can now combine this info with other vulnerabilities (maybe in other components), e.g. some SSRF as he knows the internal IP infrastructure. No up-to-date Apache httpd running? --> CVE-2021-40438 No up-to-date Keycloak running? --> CVE-2020-10770

My Mitigation: My current work around is to set this one log channel to INFO level Logback XML notation:

<logger name="org.springframework.http.server.reactive.ReactorServerHttpRequest" level="INFO" />

or in application.properties:

logging.level.org.springframework.http.server.reactive.ReactorServerHttpRequest=INFO

related code is that part: https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/http/server/reactive/ReactorServerHttpRequest.java#L222-L224

To easily reproduce the problem, set up very small timeout values (1 ms) for the gateway as the client: httpclient.connectionTimeout: 1 httpclient.receiveTimeout: 1

Comment From: quaff

I prefer to keep current behavior.

Comment From: alefq

I suggest you do not expose DEBUG level info with your outside clients. If you only need debug level for specific scenarios, you can change log levels at runtime with Spring Boot Actuator.

Comment From: rstoyanchev

Thanks for the report @psytester. I think we can make an improvement such that the logPrefix remains as it is currently, because it useful to log this at debug info, but the requestId should be more of an identifier and not include additional debugging info.