[BUG] Redis password gets exposed in info logs when redis username is empty

Question

[BUG] Redis password gets exposed in info logs when redis username is empty

smunukutla-mycarrier opened this issue 4 months ago · comments

Describe the bug
Redis password gets exposed in info logs when Redis username is an empty string in Chproxy config.

To Reproduce
In a case where we do not provide a Redis username and leave Caches.Redis.Username empty. Leaving username as empty string exposes the Redis password in the info logs.

Example config to reproduce the scenario:

caches:
  - name: "shortterm"
    mode: "redis"
    redis: 
      insecure_skip_verify: true
      addresses: 
        - "somewhere-redis-master:6379"
      username: ""
      password: ${REDIS_PASSWORD}
    expire: 5m
    grace_time: 20s

Expected behavior
Redis password should be masked as XXX in the info logs. Screenshots added below.

Screenshots
Current behavior:
Snippet from info logs:

Expected behavior:

Environment information
OS: Linux/Amd64
Chproxy: v1.26.0

Additional context
None

Christophe Kalenzaga · Answer 1 · Wed Feb 14 2024 22:17:21 GMT+0800 (China Standard Time)

I'm closing the issue since the fix was merged