CVE-2026-30778

@@ -67,6 +67,7 @@
   | **Total (OAP threads)**               | **150+**           | **~72** | **~50% reduction, stable in high payload.** |
 
 * Replace PowerMock Whitebox with standard Java Reflection in `server-library`, `server-core`, and `server-configuration` to support JDK 25+.
+* Fix `/debugging/config/dump` may leak sensitive information if there are second level properties in the configuration.
 
 #### OAP Server
 

@@ -20,6 +20,7 @@
 
 import java.util.HashMap;
 import java.util.List;
+import java.util.Properties;
 import java.util.concurrent.CopyOnWriteArrayList;
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
@@ -100,19 +101,43 @@ public ConfigList dumpBootingConfigurations(String keywords4MaskingSecretsOfConf
                 (providerName, providerConfiguration) ->
                     providerConfiguration.getProperties().forEach(
                         (key, value) -> {
-                            for (final String keyword : keywords) {
-                                if (key.toString().toLowerCase().contains(keyword.toLowerCase())) {
-                                    value = "******";
-                                }
+                            if (value instanceof Properties) {
+                                Properties properties = (Properties) value;
+                                properties.forEach((k, v) -> {
+                                    String configKey = moduleName + "." + providerName + "." + key + "." + k;
+                                    String configValue = maskConfigValue(k.toString(), v.toString(), keywords);
+                                    configList.put(configKey, configValue);
+                                });
+                            } else {
+                                String configKey = moduleName + "." + providerName + "." + key;
+                                String configValue = maskConfigValue(key.toString(), value.toString(), keywords);
+                                configList.put(configKey, configValue);
                             }
-                            configList.put(moduleName + "." + providerName + "." + key, value.toString());
                         }
                     )
             );
         }
         return configList;
     }
 
+    /**
+     * Mask the configuration value if the key contains any masking keyword.
+     *
+     * @param configKey   the configuration key to check
+     * @param configValue the configuration value to mask
+     * @param keywords    the keywords for masking secrets
+     * @return masked value "******" if key matches any keyword, otherwise return the original value
+     */
+    private String maskConfigValue(String configKey, String configValue, String[] keywords) {
+        String lowerConfigKey = configKey.toLowerCase();
+        for (String keyword : keywords) {
+            if (lowerConfigKey.contains(keyword.toLowerCase())) {
+                return "******";
+            }
+        }
+        return configValue;
+    }
+
     public static class ConfigList extends HashMap<String, String> {
         @Override
         public String toString() {

@@ -0,0 +1,204 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+core.default.autocompleteTagKeysQueryMaxSize=100
+receiver-sharing-server.default.gRPCPort=0
+aws-firehose.default.port=12801
+core.default.restPort=12800
+receiver-sharing-server.default.gRPCSslCertChainPath=
+agent-analyzer.default.meterAnalyzerActiveFiles=datasource,threadpool,satellite,go-runtime,python-runtime,continuous-profiling,java-agent,go-agent,ruby-runtime
+receiver-pprof.default.memoryParserEnabled=true
+agent-analyzer.default.traceSamplingPolicySettingsFile=trace-sampling-policy-settings.yml
+core.default.gRPCSslTrustedCAPath=
+configuration-discovery.default.disableMessageDigest=false
+core.default.serviceNameMaxLength=70
+aws-firehose.default.tlsCertChainPath=
+envoy-metric.default.k8sServiceNameRule=${pod.metadata.labels.(service.istio.io/canonical-name)}.${pod.metadata.namespace}
+ai-pipeline.provider=default
+promql.default.buildInfoVersion=2.45.0
+receiver-ebpf.default.maxConcurrentCallsPerConnection=0
+aws-firehose.provider=default
+receiver-event.provider=default
+core.default.searchableAlarmTags=level
+core.default.prepareThreads=2
+core.default.topNReportPeriod=10
+core.default.enableDataKeeperExecutor=true
+agent-analyzer.default.slowCacheReadThreshold=default:20,redis:10
+receiver-ebpf.default.continuousPolicyCacheTimeout=60
+receiver-ebpf.default.gRPCSslKeyPath=
+receiver-browser.provider=default
+agent-analyzer.default.segmentStatusAnalysisStrategy=FROM_SPAN_STATUS
+envoy-metric.default.maxConcurrentCallsPerConnection=0
+health-checker.default.checkIntervalSeconds=30
+core.default.gRPCSslEnabled=false
+logql.default.restAcceptQueueSize=0
+receiver-clr.provider=default
+receiver-async-profiler.provider=default
+storage.provider=mysql
+query.graphql.maxQueryComplexity=3000
+core.default.httpMaxRequestHeaderSize=8192
+receiver-sharing-server.default.gRPCSslEnabled=false
+telemetry.prometheus.sslEnabled=false
+receiver-sharing-server.default.authentication=******
+aws-firehose.default.acceptQueueSize=0
+storage.mysql.properties.dataSource.prepStmtCacheSize=250
+core.default.serviceCacheRefreshInterval=10
+core.default.gRPCSslKeyPath=
+receiver-ebpf.provider=default
+telemetry.prometheus.sslCertChainPath=
+receiver-sharing-server.default.maxConcurrentCallsPerConnection=0
+storage.mysql.asyncBatchPersistentPoolSize=4
+telemetry.provider=prometheus
+core.default.trainingPeriodHttpUriRecognitionPattern=60
+promql.default.restContextPath=/
+core.default.maxHeapMemoryUsagePercent=96
+aws-firehose.default.contextPath=/
+agent-analyzer.default.slowCacheWriteThreshold=default:20,redis:10
+envoy-metric.default.maxMessageSize=0
+promql.default.buildInfoGoVersion=
+storage.mysql.properties.dataSource.cachePrepStmts=true
+receiver-ebpf.default.gRPCThreadPoolSize=0
+query.graphql.enableLogTestTool=false
+envoy-metric.default.gRPCSslCertChainPath=
+receiver-ebpf.default.gRPCPort=0
+promql.default.buildInfoRevision=
+receiver-otel.default.enabledOtelMetricsRules=apisix,nginx/*,k8s/*,istio-controlplane,vm,mysql/*,postgresql/*,oap,aws-eks/*,windows,aws-s3/*,aws-dynamodb/*,aws-gateway/*,redis/*,elasticsearch/*,rabbitmq/*,mongodb/*,kafka/*,pulsar/*,bookkeeper/*,rocketmq/*,clickhouse/*,activemq/*,kong/*,flink/*,banyandb/*
+core.default.syncPeriodHttpUriRecognitionPattern=10
+core.default.enableHierarchy=true
+event-analyzer.provider=default
+receiver-otel.default.enabledHandlers=otlp-metrics,otlp-logs
+core.default.enableEndpointNameGroupingByOpenapi=true
+receiver-ebpf.default.gRPCHost=0.0.0.0
+receiver-browser.default.sampleRate=10000
+core.default.searchableTracesTags=http.method,http.status_code,rpc.status_code,db.type,db.instance,mq.queue,mq.topic,mq.broker
+core.default.instanceNameMaxLength=70
+core.default.restAcceptQueueSize=0
+receiver-sharing-server.default.gRPCHost=0.0.0.0
+telemetry.prometheus.sslKeyPath=
+log-analyzer.provider=default
+envoy-metric.default.gRPCPort=0
+storage.mysql.properties.dataSource.password=******
+agent-analyzer.default.forceSampleErrorSegment=true
+ai-pipeline.default.uriRecognitionServerPort=17128
+core.default.restIdleTimeOut=30000
+receiver-sharing-server.default.restHost=0.0.0.0
+receiver-sharing-server.provider=default
+cluster.provider=standalone
+receiver-sharing-server.default.restAcceptQueueSize=0
+agent-analyzer.provider=default
+receiver-telegraf.provider=default
+aws-firehose.default.tlsKeyPath=
+receiver-sharing-server.default.maxMessageSize=52428800
+core.default.gRPCHost=0.0.0.0
+envoy-metric.default.gRPCHost=0.0.0.0
+logql.default.restIdleTimeOut=30000
+service-mesh.provider=default
+query.provider=graphql
+receiver-telegraf.default.activeFiles=vm
+aws-firehose.default.maxRequestHeaderSize=8192
+core.default.endpointNameMaxLength=150
+core.default.metricsDataTTL=7
+storage.mysql.properties.dataSource.user=******
+promql.provider=default
+core.default.maxConcurrentCallsPerConnection=0
+configuration-discovery.provider=default
+ai-pipeline.default.baselineServerAddr=
+core.provider=default
+receiver-pprof.default.pprofMaxSize=31457280
+health-checker.provider=default
+logql.default.restHost=0.0.0.0
+receiver-sharing-server.default.restIdleTimeOut=30000
+configuration.provider=none
+logql.provider=default
+core.default.persistentPeriod=25
+storage.mysql.metadataQueryMaxSize=5000
+storage.mysql.properties.jdbcUrl=jdbc:mysql://mysql:3306/swtest?allowMultiQueries=true
+receiver-sharing-server.default.gRPCThreadPoolSize=0
+receiver-register.provider=default
+core.default.storageSessionTimeout=70000
+receiver-trace.provider=default
+envoy-metric.provider=default
+query.graphql.enableOnDemandPodLog=false
+receiver-sharing-server.default.restPort=0
+logql.default.restContextPath=/
+promql.default.restAcceptQueueSize=0
+telemetry.prometheus.host=0.0.0.0
+receiver-ebpf.default.maxMessageSize=0
+receiver-profile.provider=default
+receiver-sharing-server.default.httpMaxRequestHeaderSize=8192
+storage.mysql.properties.dataSource.useServerPrepStmts=true
+core.default.gRPCThreadPoolSize=-1
+status-query.default.keywords4MaskingSecretsOfConfig=user,password,token,accessKey,secretKey,authentication
+storage.mysql.maxSizeOfBatchSql=2000
+log-analyzer.default.malFiles=nginx
+telemetry.prometheus.port=1234
+core.default.recordDataTTL=3
+core.default.maxHttpUrisNumberPerService=3000
+core.default.downsampling=[Hour, Day]
+aws-firehose.default.idleTimeOut=30000
+core.default.maxDirectMemoryUsage=-1
+agent-analyzer.default.slowDBAccessThreshold=default:200,mongodb:100
+receiver-log.provider=default
+receiver-sharing-server.default.restContextPath=/
+receiver-async-profiler.default.memoryParserEnabled=true
+envoy-metric.default.istioServiceNameRule=${serviceEntry.metadata.name}.${serviceEntry.metadata.namespace}
+envoy-metric.default.istioServiceEntryIgnoredNamespaces=
+alarm.provider=default
+receiver-sharing-server.default.gRPCSslTrustedCAsPath=
+aws-firehose.default.firehoseAccessKey=******
+core.default.autocompleteTagValuesQueryMaxSize=100
+agent-analyzer.default.noUpstreamRealAddressAgents=6000,9000
+core.default.searchableLogsTags=level,http.status_code
+core.default.role=Mixed
+receiver-sharing-server.default.gRPCSslKeyPath=
+receiver-pprof.provider=default
+receiver-ebpf.default.gRPCSslEnabled=false
+envoy-metric.default.gRPCThreadPoolSize=0
+aws-firehose.default.host=0.0.0.0
+promql.default.restHost=0.0.0.0
+envoy-metric.default.gRPCSslEnabled=false
+core.default.gRPCSslCertChainPath=
+envoy-metric.default.enabledEnvoyMetricsRules=envoy,envoy-svc-relation
+receiver-meter.provider=default
+ai-pipeline.default.uriRecognitionServerAddr=
+promql.default.restIdleTimeOut=30000
+status-query.provider=default
+envoy-metric.default.gRPCSslKeyPath=
+core.default.gRPCPort=11800
+receiver-ebpf.default.gRPCSslTrustedCAsPath=
+receiver-jvm.provider=default
+receiver-ebpf.default.gRPCSslCertChainPath=
+promql.default.buildInfoBuildDate=
+logql.default.restPort=3100
+core.default.l1FlushPeriod=500
+promql.default.restPort=9090
+receiver-async-profiler.default.jfrMaxSize=31457280
+envoy-metric.default.alsTCPAnalysis=
+core.default.restHost=0.0.0.0
+envoy-metric.default.acceptMetricsService=true
+core.default.restContextPath=/
+envoy-metric.default.gRPCSslTrustedCAsPath=
+storage.mysql.properties.dataSource.prepStmtCacheSqlLimit=2048
+promql.default.buildInfoBranch=
+envoy-metric.default.alsHTTPAnalysis=
+core.default.maxMessageSize=52428800
+core.default.dataKeeperExecutePeriod=5
+log-analyzer.default.lalFiles=envoy-als,mesh-dp,mysql-slowsql,pgsql-slowsql,redis-slowsql,k8s-service,nginx,default
+promql.default.buildInfoBuildUser=******
+aws-firehose.default.enableTLS=false
+ai-pipeline.default.baselineServerPort=18080
+receiver-otel.provider=default
+core.default.activeExtraModelColumns=false
+query.graphql.enableUpdateUITemplate=false
\ No newline at end of file

@@ -68,4 +68,6 @@ verify:
           swctl --display yaml --base-url=http://${oap_host}:${oap_12800}/graphql trace ls --order startTime --service-name "e2e-service-provider" --endpoint-name "POST:/users" \
             | yq e '.traces[0].traceids[0]' - \
         )
-      expected: ../expected/trace-users-detail.yml
\ No newline at end of file
+      expected: ../expected/trace-users-detail.yml
+    - query: curl -X GET http://${oap_host}:${oap_12800}/debugging/config/dump
+      expected: ../expected/config-dump.yml