[BUG] Zep Admin console leaks database password
jmkinard opened this issue · comments
Describe the bug
The postgres password is incorrectly redacted from the DSN on the Settings page of the Zep Admin dashboard
To Reproduce
Visit the Settings page of the admin dashboard; the database password is visible at Store.Postgres.DSN
See this go playground for a minimal reproduction: https://go.dev/play/p/LTKmPmFcVMh
Expected behavior
The settings page should not display the database password
Logs
N/A
Environment (please complete the following information):
- Zep version: v0.21.0
- Zep SDK and version: N/A
- Deployment: K8S
Additional context
Suggested fix: in the regex, move the case-insensitive flag out of the first group to avoid making it a non-capturing group:
`(?i)(postgres://[^:]+:)([^@]+)`
See this go playground for a minimal reproduction: https://go.dev/play/p/LTKmPmFcVMh
Thanks for reporting!
@ellipsis-dev fix
This has been resolved in v0.22.0. Thanks again for reporting the issue!