Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-1407

Redact connection credentials from debug output when NODE_ENV is production

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Won't Do
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Security
    • Labels:
      None

      Broken off from https://github.com/10gen/compass/pull/939

      durran.jordan suggested:

      I'm actually against this as this specific debug helped track down the issue with a customer on the libsecret problem - as I could see the connection details in the logs. In production, the password is redacted:

      mongodb-compass:models:connection Testing connection to `

      Unknown macro: {"name"}

      `... +22s

      thomasr says:

      We can't leave it in like that for production. Huge potential for PR disaster. Either we redact in production or take that whole line out.

      durran.jordan says:

      Yeah I would prefer redacting as the connection information has been very useful in debuggin issues.

      lucas.hrabovsky says:

      The redact-secrets module could be helpful here:

      > Deeply iterate over an object and redact secret values by replacing them with a predefined string.

      Combine with an override of debug#formatArgs() should give the desired result (something like the below)

      var debug = require('debug');
var _format = debug.formatArgs;
var redact = require('redact-secrets')('[REDACTED]');
debug.formatArgs = function(...args) {
  const redactedArgs = args.map((arg) => (typeof arg === 'object') ? redact.map(arg) : arg);
  return _format.apply(debug, redactedArgs);
};

            Assignee:
            Unassigned Unassigned
            Reporter:
            lucas.hrabovsky Lucas Hrabovsky (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: