pyinfra icon indicating copy to clipboard operation
pyinfra copied to clipboard
verified publisher icon pyinfra-dev

`mysql_password` (and probably lots of others) is displayed all over the logs when using a single `-v`

Open nazarewk opened this issue 1 year ago • 1 comments

Describe the bug

I'm new to pyinfra, trying to rewrite MySQL user management from Ansible, when I try to add some verbosity to understand what is going on (-v flag) I am seeing mysql_password in plain text all over the logs.

mysql is probably not the only place that doesn't sanitize secretd like this.

To Reproduce

Connect to password-protected MySQL database with -v flag.

Expected behavior

I would expect all possibly sensitive information to be masked out from logging, unless (or even when) I use the maximum verbosity. It cloud go as far as using separate flag like --debug-secret to unmask those.

Meta

in pyinfra 2.9.2

@Fizzadar mentioned on Matrix chat:

I see yep, when used as a fact argument, that's a miss in the hiding there

nazarewk avatar Jul 15 '24 13:07 nazarewk

This is unfortunate. A lot of work went into the MaskString and various string command classes, unfortunately fact arguments are bypassing that entirely.

Fizzadar avatar Jul 21 '24 18:07 Fizzadar