ioredis
ioredis copied to clipboard
redis
Errors contain credentials in plaintext
When wrong credentials are provided to Redis, this gets logged:
{"level":50,"time":1674832773627,"pid":1,"hostname":"service-79d5f6fb77-gf4ks","type":"ReplyError","message":"WRONGPASS invalid username-password pair or user is disabled.","stack":"ReplyError: WRONGPASS invalid username-password pair or user is disabled.\n at parseError (/app/node_modules/redis-parser/lib/parser.js:179:12)\n at parseType (/app/node_modules/redis-parser/lib/parser.js:302:14)","command":{"name":"auth","args":["APPLICATION_USERNAME","APPLICATION_PASSWORD"]}}
APPLICATION_USERNAME and APPLICATION_PASSWORD should not be there.
This issue was previously reported: https://github.com/luin/ioredis/issues/1229 And there was a proposed fix that was ignored: https://github.com/luin/ioredis/pull/1233
Hey @kibertoad 👋
Thanks for reporting this! https://github.com/luin/ioredis/pull/1233 was a bit too complicated than I thought so it hasn't been merged. If there are easier ways to fix the issue, PRs are welcome!
Got a similar issue recently, here is the error object :
{
command: {
args: [
'******CLEARTESTUSER******',
'******CLEARTEXTPASSWORD******',
],
name: 'auth',
},
message: 'ERR max number of clients reached',
stack: 'ReplyError: ERR max number of clients reached
at parseError (/redacted/node_modules/ioredis/node_modules/redis-parser/lib/parser.js:179:12)
at parseType (/redacted/node_modules/ioredis/node_modules/redis-parser/lib/parser.js:302:14)',
type: 'ReplyError',
}
Will filter out logging when I have command.name === 'auth' in an error for now.
I've only done a cursory look at this, but I imagine since Redis knows my password, it can search error output and grep/scrub it?
