Project

General

Profile

Actions
Copy link

action #122749

open

Censor RabbitMQ credentials in log messages

Added by kraih almost 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Regressions/Crashes
Target version:
QA (public) - future
Start date:
2023-01-05
Due date:
% Done:

0%

Estimated time:
Tags:
security

Description

Observation

While investigating #122746, i noticed log messages like this:

[2023-01-05T10:16:48.515519Z] [debug] [pid:4163] AMQP URL: amqps://username:passw0rd@rabbit.opensuse.org:5671/?exchange=pubsub

Leaking the RabbitMQ credentials in the userinfo field of the AMQP URL.

Acceptance criteria

  • AC1: AMQP credentials are not shown in debug logs.

Suggestion

  • Use Mojo::URL to hide the userinfo field (automatically hidden when Mojo::URL objects are stringified).

No data to display

Actions
Copy link

Also available in: Atom PDF