New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve "Git Commit Information" reference documentation #24205
Comments
IIRC, by default the info endpoint returns an empty json unless an explicit |
I quite like the idea of hiding the |
I don't think I see a use case for having an unauthenticated response and an authenticated response for the info endpoint. For the health endpoint, there can be a monitoring system which might just need to get the status and then an authenticated user can get more information. Since the info endpoint doesn't include any information by default, I don't see the benefit of hiding that information when enabled. |
Looking at the I think the current arrangement strikes a nice balance and I'm in favor of keeping things that way. |
Our Maven plugin for generating the build info can be configured not to include the time and the Gradle plugin can too. Similar capabilities are also available in the Maven and Gradle plugins for generating the git properties. The Maven plugin allows the properties that are included to be configured and the Gradle plugin does too:
One complication here is our |
One advantage of keeping the property is it's possible to switch things at runtime. E.g. you can set the plugin to include everything and then later decide if you show it or not. |
Not to advocate for spring boot solving this problem, but to potentially present a real use case: Internally we have a tool that wants to collect and validate installed versions across dozens of applications/installations. This is a antiquated tool for which providing all of the actuator credentials would be inappropriate/onerous, and it only really needs the version/artifact information. We also use or have developed many Our current plan is to create a But what we are trying to achieve is sort of the same use case as the |
We had quite a long discussion about this issue today to think about the options. We ultimately decided that we're going to leave things as they are but update the "Git Commit Information" section as it's a bit lacking. Here's a summary of some of the ideas that we discussed: Don't show all of the data unless you're authenticatedThere would be a bit of work for us to do to support this, but ultimately the problem becomes about categorizing the information to decide when it should be shown. For example, should we include the git sha, but exclude the timestamp by default? How do users change our defaults? How do users define which of their own entries get shown or hidden? It's certainly would require a fair amount of design work. Introduce something like health groupsWe could introduce some kind of info group solution where you can assign info entries to groups. This might allow you to categorize sensitive vs insensitive entries. To be of use, we'd probably also need to support authentication so that we can have a property similar to Update the
|
Perhaps In any sense, thank you for the explanation |
So... I could potentially report this as a security vulnerability, but it's already easily mitigated, and pretty minor. I suspect this will get closed. This issue may also be better remedied in the
BuildInfo
plugins for maven/gradle./actuator/info
leaks information that allows an attacker to determine what vulnerabilities may be available. Specifically datetime's. If I know the build/last gittime
I know what libraries were available, and can even guess at the version of the JVM.my preferred solution would be for
info
to make likehealth
and not show all of the data unless you're authenticated.Another solution is to null out
time
for both build andgit
, currently this is possible with build in the gradle plugin using kotlin, but not possible with git as there is no api exposed to set that property.lastly of course, you can just use these properties to make them require authentication.
and secure them further https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready-endpoints-security
just an idea.
The text was updated successfully, but these errors were encountered: