rocketeer icon indicating copy to clipboard operation
rocketeer copied to clipboard

Published 20 hours ago verified publisher icon rocketeers

Passwords exposed in log files

Open TheRealJon opened this issue 7 years ago • 2 comments

I intentionally left password fields blank in my config files because I do not want any passwords stored in plain text. Upon running a rocketeer command that requires SVN authentication, I was prompted for credentials as expected. What I didn't expect was that the SVN checkout command would be logged with username and password options in plain text. I discovered this by chance when browsing through the logs. At the very least, there should be some mention of this in the documentation. More to the point, a better logging strategy should be used to avoid exposing passwords.

TheRealJon avatar May 17 '17 14:05 TheRealJon

I think the second solution is best, any sensitive information should be screened and hidden before passed on to the logs, including within commands that are run on server. In the meantime do you have the possibility to use an SSH checkout rather than an HTTP one? So that only your username is present in the logs but not any kind of password

Anahkiasen avatar May 17 '17 14:05 Anahkiasen

No, unfortunately we don't have control over the SVN server configuration.

TheRealJon avatar May 17 '17 15:05 TheRealJon