aerospike-client-nodejs icon indicating copy to clipboard operation
aerospike-client-nodejs copied to clipboard

Published 20 hours ago verified publisher icon aerospike

Aerospike Error prints / logs password as a config

Open nsquaretologn opened this issue 4 years ago • 3 comments
trafficstars

Aerospike error object {command:{client:{config:{"password":""}}}} emits password connection information which is not secure. Delete config object in stack trace when printing error command as it emits sensitive information

This happens in aerospike/lib/error.js

nsquaretologn avatar Apr 20 '21 15:04 nsquaretologn

Thanks for raising this issue. The client's Config class already has a custom inspect method, which masks the password when then config is converted to a string or logged using console.info:

> node
const { Config } = require('./')
const cfg = new Config({ user: 'foo', password: 'bar' })
console.log(cfg)
{
  user: 'foo',
  password: '[FILTERED]',
  clusterName: undefined,
  port: 3000,
  hosts: '192.168.1.15:55023',
  policies: {},
  useAlternateAccessAddress: false,
  rackAware: undefined
}

How are you converting the error object into a string?

jhecking avatar Apr 21 '21 01:04 jhecking

Thanks for the information. We are printing Aerospike Error class which while printing the command object prints the password & all critical information example. Directly printing the error object. Not converting it to a string

This is the object which I am getting on priinting Aerospike Error Object during put call

{
  "name": "AerospikeError",
  "line": 846,
  "command": {
    "client": {
      "config": {
        "port": 3000,
        "connTimeoutMs": 10000,
        "password": "[Not Masked]",
        "hosts": "[Not Masked]",
        "policies": {},
        "useAlternateAccessAddress": false,
        "user": "[Not Masked]",
        "loginTimeoutMs": 10000
      },
      "as_client": {},
      "_eventsCount": 0,
      "_events": {},
      "domain": null,
      "connected": true,
      "captureStackTraces": false
    },
    "key": {

    },
    "args": [
    ],
    "ensureConnected": true,
    "captureStackTraces": false
  },
  "inDoubt": true,
  "file": "src/main/aerospike/as_event.c",
  "func": "as_event_total_timeout",
  "code": 9
}

`

`

nsquaretologn avatar Apr 21 '21 03:04 nsquaretologn

I'm not really sure to resolve this to be honest: The client reference was added to the AerospikeError class so that it could e.g. be used to close the connection in case of connection errors:

const Aerospike = require('aerospike')

Aerospike.connect().then(async client => {
  await client.put(new Aerospike.Key('demo', 'test', 'foo'), { 'foo': 'bar' })
  client.close()
}).catch(error => {
  console.error('Error: %s [%i]', error.message, error.code)
  if (error.client) error.client.close()
})

https://www.aerospike.com/apidocs/nodejs/AerospikeError.html#client

So the error class can't remove or modify the client's config, as that would affect the client itself.

Based on the quoting of the property names in your output I'm guessing that maybe JSON.stringify() is used somewhere to render the error object to a string? If that's the case, one possible solution might be to add a custom toJSON function on the AerospikeError class, to e.g. omit the entire client reference from the object. But since the JSON.stringify() function might be used for other purposes, e.g. serialization, that might have other unintended consequences.

jhecking avatar Apr 22 '21 02:04 jhecking

Can be easily resolved with private field and getter/setter

bit0r1n avatar Dec 02 '23 17:12 bit0r1n

This should be addressed sufficiently with custom inspect method mentioned above

DomPeliniAerospike avatar Jan 11 '24 15:01 DomPeliniAerospike