Passphrase is visible in logs
testuser7 opened this issue · comments
Passphrase is visible in logs after save repository configuration.
Seems like Nexus itself does this. No plan to fix.
I am not 100% sure on this, but I know that when you create a repo like for npm, etc... it will blank out the password in the logs. I think this is accomplished by naming it something similar to:
private static final List<String> SENSITIVE_FIELD_NAMES = newArrayList("applicationPassword", "password",
"systemPassword", "secret");
That list can be found in /components/nexus-repository/src/main/java/org/sonatype/nexus/repository/config/Configuration.java if you are looking at nexus-public
Based on what @DarthHater says seems like this is at least potentially something that could be dealt with within the plugin. PR's welcome.
@DarthHater - I looked into this a bit more, and it seems like there's not an easy way to make this work without changing the naming of the config attributes.
I'd suggest either making this extensible in core, or maybe at some point in core you could add keypair and passphrase to the list of SENSITIVE_FIELD_NAMES in src/main/java/org/sonatype/nexus/repository/config/Configuration.java
That's good feedback @mpoindexter . Tagging in @mcculls as he might know a bit more!
APT is now part of Nexus Repository Manager. Version 3.17.0 includes the APT plugin by default.
If this is still an issue if using 3.17.0 or later please file an issue at https://issues.sonatype.org/.
Links to the new source code location are in the top level README.md