Skip to content

[Bug] RpcException message should not contain the accessKey and secretKey from MSE Nacos #15678

New issue
New issue
Open
Open
[Bug] RpcException message should not contain the accessKey and secretKey from MSE Nacos#15678
Labels
help wantedEverything needs help from contributorstype/bugBugs to being fixed
@vergilyn

Description

@vergilyn
vergilyn
opened on Sep 9, 2025

Pre-check

  • I am sure that all the content I provide is in English.

Search before asking

  • I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

dubbo::3.2.x & 3.3.x
nacos:2.x

case01:

dubbo.registry.address=nacos://${mseNacosAddress}:8848?accessKey=${accessKey}&secretKey=${secretKey}

case02:

dubbo.registry.address=nacos://${mseNacosAddress}:8848
dubbo.registry.parameters.accessKey=${accessKey}
dubbo.registry.parameters.secretKey=${secretKey}

Steps to reproduce this issue

dubbo/dubbo-cluster/src/main/java/org/apache/dubbo/rpc/cluster/directory/AbstractDirectory.java

Lines 201 to 206 in d6f055a

public List<Invoker<T>> list(Invocation invocation) throws RpcException {
if (destroyed) {
throw new RpcException(
"Directory of type " + this.getClass().getSimpleName() + " already destroyed for service "
+ getConsumerUrl().getServiceKey() + " from registry " + getUrl());
}

  1. Modify destroyed=true through debug (or Arthas).
  2. RpcException message contain sensitive properties, e.g.
org.apache.dubbo.rpc.RpcException: 
  Directory of type ServiceDiscoveryRegistryDirectory already destroyed for service com.xxx.dubbo.DemoDubboService:1.0 from registry nacos://mes-nacos-address:8848/org.apache.dubbo.registry.RegistryService?...&accessKey=...&secretKey=...

What you expected to happen

RpcException message should not contain sensitive properties.

Anything else

If Apache Nacos uses username&password AUTH, dubbo will remove sensitive properties。

dubbo/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java

Lines 108 to 115 in d6f055a

if (defaultParameters != null) {
defaultParameters.remove(PROTOCOL_KEY);
defaultParameters.remove(USERNAME_KEY);
defaultParameters.remove(PASSWORD_KEY);
defaultParameters.remove(HOST_KEY);
defaultParameters.remove(PORT_KEY);
defaultParameters.remove(PATH_KEY);
}

备注:如果使用 case02 的方式配置,dubbo会特殊处理将 username&password 从 url 的 parameters中移除。因此,RpcExceptiony异常信息中不会包含敏感信息。但是,dubbo并未特殊处理 MSE Nacos 的 accessKey&secretKey。

Are you willing to submit a pull request to fix on your own?

  • Yes I am willing to submit a pull request on my own!

Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedEverything needs help from contributorstype/bugBugs to being fixed

    Type

    No type

    Projects

    Dubbo Board

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions