[MXS-5610] Exposure of Internal Files in MaxScale Download Directory - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 25.01.2
Fix Version/s: N/A
Component/s: build
Labels:
None

Description

The security team noticed that the build.properties and build.log (86) files are accessible in the download directory. These files appear to expose internal build infrastructure details as well as employee email addresses.

Example:
https://dlm.mariadb.com/browse/mariadb_maxscale_enterprise/25.01.2/?flat=1

In this flat view you will see:

build.log files containing internal information
build.properties file that exposes:
- Internal build infrastructure paths (e.g., /home/timofey_turenko_mariadb_com/MaxScale/BUILD/generate_sbom.sh)
- Internal build server URL: https://mdbe-buildbot.mariadb.net/#/builders/158/builds/265
- Employee names and email addresses:
  - johan.wikman@mariadb.com
  - timofey_turenko@mariadb.com

These details do not seem necessary for customer facing downloads. This differs from what is published under the Enterprise builds where we do not publish build.log or build.properties.

Could you investigate why these files are being exposed and confirm whether they can be removed from public access?

Attachments

Activity

People

Assignee:: Timofey Turenko

Reporter:: Michael Deweerd

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2025-05-14 16:47

Updated:: 2025-05-19 13:33

Resolved:: 2025-05-19 13:33

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.