Errors contain credentials in plaintext · redis/ioredis#1713

(4 留言) (4 反應) (0 負責人)TypeScript (12,302 star) (1,069 fork)batch import

help wanted

描述

When wrong credentials are provided to Redis, this gets logged:

{"level":50,"time":1674832773627,"pid":1,"hostname":"service-79d5f6fb77-gf4ks","type":"ReplyError","message":"WRONGPASS invalid username-password pair or user is disabled.","stack":"ReplyError: WRONGPASS invalid username-password pair or user is disabled.\n    at parseError (/app/node_modules/redis-parser/lib/parser.js:179:12)\n    at parseType (/app/node_modules/redis-parser/lib/parser.js:302:14)","command":{"name":"auth","args":["APPLICATION_USERNAME","APPLICATION_PASSWORD"]}}

APPLICATION_USERNAME and APPLICATION_PASSWORD should not be there.

貢獻者指南

技術棧: typescriptnodejs
領域: backendsecurity
議題類型: bug
難度: 3
預計時間: 1-3 hours
活動狀態: fresh
清晰度: clear
前置要求: Node.js basicsRedis authenticationUnderstanding of logging
新手友善度: 60
研究方向: The issue is that the Redis error message includes the credentials in plaintext when authentication fails. The fix involves modifying the error handling in the ioredis library to redact or omit the username and password from the logged command arguments. Look at the 'auth' command implementation in the source code (likely in the 'command' or 'redis' modules). Ensure that any logging of command arguments masks sensitive fields. Consider adding a redaction mechanism similar to what other libraries use. The maintainers may provide guidance in the issue comments.