node-redis icon indicating copy to clipboard operation
node-redis copied to clipboard
verified publisher icon redis

Could you update code to hide password for sercure?

Open vantoan8x opened this issue 5 years ago • 3 comments

Issue

Describe your issue here When dump or error, sometime redis client handle was dumped or jsonized, it could br show the redis password. Could you please to hide Redis connection password for secure?

Redis show password

Environment

  • Node.js Version: Redis can run
  • Redis Version: 2.8.0
  • Platform: Mac/Linux

vantoan8x avatar Mar 30 '20 14:03 vantoan8x

Jumping on this as even in the logs on a failed connect (error was using redis:// instead of rediss://) the username & password are in plain text, which is a potential high severity security issue that should be fixed asap.

Capture d’écran 2021-09-15 à 09 13 22

dackmin avatar Sep 15 '21 07:09 dackmin

I don't believe this is an issue anymore.

When logging a redis client object the following is logged:

RedisClient {
  _events: [Object: null prototype] { error: [Function (anonymous)] },
  _eventsCount: 1,
  _maxListeners: undefined,
  commandOptions: [Function: commandOptions],
  select: [AsyncFunction: SELECT],
  subscribe: [Function: SUBSCRIBE],
  unsubscribe: [Function: UNSUBSCRIBE],
  pSubscribe: [Function: PSUBSCRIBE],
  pUnsubscribe: [Function: PUNSUBSCRIBE],
  sSubscribe: [Function: SSUBSCRIBE],
  sUnsubscribe: [Function: SUNSUBSCRIBE],
  quit: [Function: QUIT],
  multi: [Function: MULTI],
  [Symbol(kCapture)]: false
}

dhensby avatar Oct 07 '24 12:10 dhensby

For your information, it's seem to be changed and impacted a fix!

vantoan8x avatar Oct 16 '24 00:10 vantoan8x