Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Hide/mask/scrub secrets/passwords in logs

See original GitHub issue

The problem

Passwords and other secrets sent by sendKeys variants are seen in plaintext in the logs. It would be nice to be able to prevent that somehow.

Details

Suppose I have code that looks like this

var pass = getPassworSecurelySomehow(); //e.g. DPAPI or keychain
myPasswordElement.sendKeys(pass);

The logs will show my password:

[debug] Pushing command to appium work queue: “au.getElement(‘18’).setValueByType('MySecretPass)”

It would be great to be able to write something like myPasswordElement.sendSecureKeys(pass); (without compromising log verbosity), and have those keys scrubbed from the log (e.g. replaced with asterisks).

I realize that this would require client library support too (e.g. in wd) but I figured the support has to start somewhere, and could possibly even exploit some existing mechanism (maybe send a special character value that would mark the text as ‘secret’)?

Issue Analytics

State:
Created 7 years ago
Reactions:1
Comments:11 (5 by maintainers)

Top GitHub Comments

1reaction

dotnetprofessionalcommented, Nov 30, 2018

Seems this hasn’t had much traction. We’ve just run into this issue ourselves. As @ohadschn has mentioned these ‘test’ passwords can be more dangerous than the real ones. They are often used to gain access to other systems even if the original password doesn’t provide access. Many organizations have a policy of not logging passwords or committing the to source control (another popular source for hackers).

I like the idea of an optional parameter to the sendKeys method that prevents that data from being logged. I’d go with isSensitive, but redact is fine too.

Is this likely to be added?

1reaction

jlippscommented, Jan 6, 2017

yeah, maybe adding a custom json parameter redact to the sendkeys method would work. We can bring this up with the selenium folks too to see if it’s worth talking about in terms of the spec.

@lukeis @shs96c have you guys had requests before for a flag for sendkeys that will instruct the server not to log the text in case it’s sensitive information?

Alternatively, we could stay within spec and simply have a mode for the Appium server where it doesn’t log any sendkeys information

Top Results From Across the Web

How to Hide Sensitive Things in GitHub Actions Logs

Want to hide some private hostnames from your public GitHub logs. Find out how. (Mask-4-mask.)

How to hide/mask passwords in Fastlane logs? - Stack Overflow

No, not without adding this functionality to Fastlane. But what you can do is to pass log:false to sh for the command that...

Mask Sensitive Data in Logs With Logback - Baeldung

In this tutorial, we'll see how to mask sensitive data in logs with Logback. Overall, this approach isn't the real way to solve...

Secret Masking - Lumigo Docs

Secret masking allows you to keep sensitive data private. This sensitive data can include information like API keys, authentication tokens, passwords, ...

Seven Best Practices for Keeping Sensitive Data Out of Logs

A few weeks ago, Twitter asked users to reset their passwords. Per Twitter's announcement, passwords were written to logs before they were ...