go-admin
go-admin copied to clipboard
[BUG] Passwords are logged when setting OperationLogOff to false
Bug Description [describe the bug in detail]
Hello, When setting OperationLogOff to false (which is the default value), passwords are logged in GoAdmin operation log. This leaks any user password.
How to reproduce [describe the steps how to reproduce the bug]
- Create a new goadmin instance
- Connect as admin
- Create a new user account and defined their password
- Log as newly created user, browse to settings and edit your password
- Browse to
/admin/info/op
- You can see the different passwords in logged payload
Expect [describe your expect result]
Passwords are not logged or are redacted from log.
Versions
- GoAdmin version: 1.2.23
I can open a merge request fixing this issue, I'd just like your opinion on what would be the best way to proceed:
- inspect payload and redact password fields
- avoid login form data for some URLs.
- other
Thanks in advance for your answer.
After some additional tests and digging into the code, I feel like the OperationLogOff config parameter is anyway not injected into github.com/GoAdminGroup/go-admin/plugins/admin/controller.Handler
configuration.
+1