SecurIty: Credentials are leaked on the log file
mancausoft opened this issue · comments
In the logs i can see:
mongoclient
{"connectionUrl":"mongodb://root:password@mongodb.develop:27017/?authSource=admin&connectTimeoutMS=3000&socketTimeoutMS=5000&authMechanism=SCRAM-SHA-1","options":{"useNewUrlParser":true,"useUnifiedTopology":true,"authSource":"admin"},"sessionId":"hXib56nsdweGeKC","level":"debug","message":"[connect]"}
Expected Behavior
Never log password
Current Behavior
The password is written in plain on the logs
Possible Solution
Replace password with some other char
Steps to Reproduce (for bugs)
Connect to a DB from the UI interface.
Your Environment
-
Nosqlclient version used: "mongoclient/mongoclient@sha256:ca98c95de349493fab630ca3fae6e611e27e392ebc59f14d7dd73580c045927a"
-
Environment name: docker
Hi @mancausoft I'm surprised nosqlclient is still being used :) I cant find time to keep developing nosqlclient any further.
Yet this one is a resolved issue, you can set MONGOCLIENT_LOG_LEVEL
env variable to info and you won't see debug logs anymore.
@rsercano The Log level was already set to INFO
@rsercano The Log level was already set to INFO
Strange that the log you sent is a debug log actually, could you please send me a screenshot of your docker info command?