nosqlclient icon indicating copy to clipboard operation
nosqlclient copied to clipboard
verified publisher icon nosqlclient

SecurIty: Credentials are leaked on the log file

Open mancausoft opened this issue 4 years ago • 3 comments

In the logs i can see: mongoclient {"connectionUrl":"mongodb://root:[email protected]:27017/?authSource=admin&connectTimeoutMS=3000&socketTimeoutMS=5000&authMechanism=SCRAM-SHA-1","options":{"useNewUrlParser":true,"useUnifiedTopology":true,"authSource":"admin"},"sessionId":"hXib56nsdweGeKC","level":"debug","message":"[connect]"}

Expected Behavior

Never log password

Current Behavior

The password is written in plain on the logs

Possible Solution

Replace password with some other char

Steps to Reproduce (for bugs)

Connect to a DB from the UI interface.

Your Environment

  • Nosqlclient version used: "mongoclient/mongoclient@sha256:ca98c95de349493fab630ca3fae6e611e27e392ebc59f14d7dd73580c045927a"

  • Environment name: docker

mancausoft avatar Nov 10 '21 15:11 mancausoft

Hi @mancausoft I'm surprised nosqlclient is still being used :) I cant find time to keep developing nosqlclient any further.

Yet this one is a resolved issue, you can set MONGOCLIENT_LOG_LEVEL env variable to info and you won't see debug logs anymore.

rsercano avatar Nov 10 '21 16:11 rsercano

@rsercano The Log level was already set to INFO

mancausoft avatar Nov 10 '21 17:11 mancausoft

@rsercano The Log level was already set to INFO

Strange that the log you sent is a debug log actually, could you please send me a screenshot of your docker info command?

rsercano avatar Nov 11 '21 09:11 rsercano