Giters

seaweedfs / seaweedfs

SeaweedFS is a fast distributed storage system for blobs, objects, files, and data lake, for billions of files! Blob store has O(1) disk seek, cloud tiering. Filer supports Cloud Drive, cross-DC active-active replication, Kubernetes, POSIX FUSE mount, S3 API, S3 Gateway, Hadoop, WebDAV, encryption, Erasure Coding.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Credentials leaking in logs

sebadob opened this issue · comments

commented

Describe the bug
It's not a bug but more a small security issue.
When a database connection fails for filer, the credentials are logged into the console.

For instance, I have set up a test deployment with a Postgres. In case of a connection error to the DB, the username and password are logged into the console as plain test.
This is not a critical thing, so it could be done with any upcoming release, I guess.

System Setup
Any running filer with an external database (postgres in this case), which cannot connect to the DB. For instance provide an unreachable IP or something like this.

Expected behavior
I would suggest to either not log the password at all, or log it with debug or trace level only, so it would normally not show up.

Screenshots
grafik

commented

That was a very quick one, thanks!