Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: hide sensitive data from debug logs #1797

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

kinueng
Copy link

@kinueng kinueng commented Aug 15, 2023

Fixes #1796

With my limited knowledge of this code base, I have tried to patch the specific scenario reported in #1796.

I think there can be improvements to this code but I lack the code base knowledge to put this logic in an universal place where all logs will sanitize values associated with the command auth.

How I tested using [email protected]

  1. docker pull redis/redis-stack-server:latest
  2. docker run -d --name redis-stack-server -p 6379:6379 redis/redis-stack-server:latest
  3. npm install ioredis
  4. Edit node_modules/ioredis/built/utils/debug.js directly with this PR code
  5. Run DEBUG=ioredis:* node app.js with the file below.
const http = require('http');
const Redis = require('ioredis');

const hostname = '127.0.0.1';
const port = 3000;

const redisClient = new Redis({
    host: 'localhost',
    port: 6379,
    password: 'foobar'
});

redisClient.on('connect', () => {
    console.info('connected to redis server');
});

const server = http.createServer((req, res) => {
  res.statusCode = 200;
  res.setHeader('Content-Type', 'text/plain');
  res.end('Hello World');
});

server.listen(port, hostname, () => {
  console.log(`Server running at http://${hostname}:${port}/`);
});

  1. Observed the log and see message ioredis:redis write command[127.0.0.1:6379]: 0 -> auth('***********') +1ms

lib/utils/debug.ts Outdated Show resolved Hide resolved
Copy link

@HardikJade HardikJade left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Logs show plaintext password
2 participants