Passwords leaked in the notifiers
skx opened this issue · comments
Steve Kemp commented
Assuming you have the following input:
imap.company.com must run imap with username 'foo@bar.com' with password 'secret'
If you're using the MQ / Purppura notifiers then they will receive a copy of the input. In the case of MQ you'll see this logged:
{"input":"1.2.3.4 must run imaps with password 'secret' with username 'foo@bar.com'",
...}
This is because the raw input is given to the notifier. We should censor out passwords (as used in MySQL, HTTP, POP3(s), IMAP(s), etc) in our notifications.