redis/ioredis

Errors contain credentials in plaintext

Open

#1,713 opened on Jan 27, 2023

View on GitHub
 (4 comments) (4 reactions) (0 assignees)TypeScript (1,069 forks)batch import
help wanted

Repository metrics

Stars
 (12,302 stars)
PR merge metrics
 (Avg merge 3d 5h) (5 merged PRs in 30d)

Description

When wrong credentials are provided to Redis, this gets logged:

{"level":50,"time":1674832773627,"pid":1,"hostname":"service-79d5f6fb77-gf4ks","type":"ReplyError","message":"WRONGPASS invalid username-password pair or user is disabled.","stack":"ReplyError: WRONGPASS invalid username-password pair or user is disabled.\n    at parseError (/app/node_modules/redis-parser/lib/parser.js:179:12)\n    at parseType (/app/node_modules/redis-parser/lib/parser.js:302:14)","command":{"name":"auth","args":["APPLICATION_USERNAME","APPLICATION_PASSWORD"]}}

APPLICATION_USERNAME and APPLICATION_PASSWORD should not be there.

Contributor guide