dropwizard-healthcheck exposes too much information on public port

[markjeffreymiller]

Prior to Dropwizard 2.1, the healthcheck JSON output (from io.dropwizard.modules:dropwizard-health) was limited to pretty much a boolean output ("healthy" or "unhealthy").

With 2.1, the JSON response (when requested with /health-check?name=all) gives a fine-grained status for each upstream service, and it does so on the public port.

This seems slightly dangerous to me from both a security and privacy perspective. Take for instance a situation like the following, where we are leaking to the public that the service uses a specific database (security), AND that there's likely a major product announcement forthcoming (privacy):

 [
    {"name":"popular-database-with-known-vulnerabilities","healthy":true,"type":"READY","critical":true},
    {"name":"beta-chatgpt-hologram-nft-service","healthy":true,"type":"READY","critical":false}
]

Now, I'm not saying this is a rootkit-level sort of security threat, but my feeling has always been that Dropwizard should be skewing toward a "default secure" mindset. And of course a properly configured loadbalancer will prevent this access from occurring, but not everyone is perfect all of the time.

I'm all for exposing this detailed information on the admin port, and for exposing a very limited, zero-details healthcheck service on the public port. But it really seems like a security failure to make those details available, in the default configuration, on the public port.

[ryankennedy]

Unless I’m mistaken, healthchecks are only available on the admin port. So unless you’re using something like the simple server (which allows you to serve the admin endpoints on the “main” server port), this shouldn’t be a concern. Are you running with the simple server factory?

[markjeffreymiller]

I run DW with a pretty heavily-customized set of dependencies so I wasn't 100% sure about myself, but I went ahead and created a new project using the mvn archetype command, and it's definitely exposing the healthcheck names on the primary port:

# curl 'http://localhost:8080/healthcheck' ## main port without "?name=all"
[]%                                                                                                                                                                                                                                                           ➜  helloplanet git:(main) 
# curl 'http://localhost:8080/healthcheck?name=all' ## main port with "?name=all"; response includes healthcheck names
[{"name":"looking-good-billyray","healthy":true,"type":"READY","critical":true}]%                                                                                                                                                                             ➜  helloplanet git:(main) 
# curl 'http://localhost:8081/healthcheck?name=all' ## admin port; response includes healthcheck names *and messages*
{"deadlocks":{"healthy":true,"duration":0,"timestamp":"2024-04-12T23:34:41.579-07:00"},"looking-good-billyray":{"healthy":true,"message":"Feeling Good, Lewis","duration":0,"timestamp":"2024-04-12T23:34:41.579-07:00"}}%                                    ➜  helloplanet git:(main) 

Sample project: https://github.com/markjeffreymiller/helloplanet