SecurIty: Credentials are leaked on the log file

Question

SecurIty: Credentials are leaked on the log file

mancausoft opened this issue 3 years ago · comments

In the logs i can see:
mongoclient
{"connectionUrl":"mongodb://root:password@mongodb.develop:27017/?authSource=admin&connectTimeoutMS=3000&socketTimeoutMS=5000&authMechanism=SCRAM-SHA-1","options":{"useNewUrlParser":true,"useUnifiedTopology":true,"authSource":"admin"},"sessionId":"hXib56nsdweGeKC","level":"debug","message":"[connect]"}

Expected Behavior

Never log password

Current Behavior

The password is written in plain on the logs

Possible Solution

Replace password with some other char

Steps to Reproduce (for bugs)

Connect to a DB from the UI interface.

Your Environment

Nosqlclient version used: "mongoclient/mongoclient@sha256:ca98c95de349493fab630ca3fae6e611e27e392ebc59f14d7dd73580c045927a"
Environment name: docker

Sercan Özdemir · Answer 1 · Thu Nov 11 2021 00:55:15 GMT+0800 (China Standard Time)

Hi @mancausoft I'm surprised nosqlclient is still being used :) I cant find time to keep developing nosqlclient any further.

Yet this one is a resolved issue, you can set MONGOCLIENT_LOG_LEVEL env variable to info and you won't see debug logs anymore.

Andrea Milazzo · Answer 2 · Thu Nov 11 2021 01:45:48 GMT+0800 (China Standard Time)

@rsercano The Log level was already set to INFO

Sercan Özdemir · Answer 3 · Thu Nov 11 2021 17:55:38 GMT+0800 (China Standard Time)

@rsercano The Log level was already set to INFO

Strange that the log you sent is a debug log actually, could you please send me a screenshot of your docker info command?