Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Error contains password in plaintext

See original GitHub issue

Hi, I’m using ioredis like this (simplified):

import Redis from 'ioredis'

const password = process.env.REDIS_PASSWORD // e.g. 'abc123'
const redis = new Redis({ password })

redis.on('error', (error) => {
  logger.error('Redis error', error)
})

Due to a human error, the password used was not the correct one for my service, so ioredis could not connect. This resulted in the following error:

Error {
  command: {
    name: 'auth',
    args: ['abc123']
  }
}

Since this error gets emitted and ultimately logged, it ended up in plaintext in my service logs, which for some could equate to a security incident.

I’ve since made sure to omiterror.command.args before logging. But is this expected behavior? Is there a better way to handle this?

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:7 (2 by maintainers)

Top GitHub Comments

1reaction

luincommented, Nov 6, 2020

Yeah, that sounds reasonable. Can you make a PR for that?

1reaction

smartiniocommented, Nov 4, 2020

Hey Luin! Okay, how about this?

Assuming that the consensus is that any data (not just passwords) is potentially sensitive:

Make the existence of error.command.args configurable through a flag (e.g. errorsContainCommandArgs). This could start as an opt-out, to not break current behavior. If the option is not explicitly set by the user, ioredis can log a warning:

[ioredis] Command args in errors are deprecated. In the future, command args will not automatically be included in the error object. To keep the current behavior, set errorsContainCommandArgs: true when configuring ioredis

Top Results From Across the Web

Vulnerability Concern: Username and password sent in plain ...

The login form usually hides the password from plain sight by masking it on the screen, but the entries are still plain text....

How to Tell If a Site Stores Passwords as Plaintext (And What ...

Plaintext just means your password is stored exactly as you write it. And that's a problem because hackers can easily read it. Be...

Is it safe to briefly have a user's password in memory in plain ...

Yes it is "safe " since whatever is in memory is in your server's memory and should not be able to be read...

Is it ok to send plain-text password over HTTPS? [duplicate]

It is standard practice to send "plaintext" passwords over HTTPS. The passwords are ultimately not plaintext, since the client-server ...

How secure are your passwords in plaintext? - NordPass

If you receive an email containing your username and password after creating an account, it could mean that the encryption the website uses...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Error contains password in plaintext

Issue Analytics

Top GitHub Comments

Assuming that the consensus is that any data (not just passwords) is potentially sensitive:

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

ioredis won't throw errors, prints to console instead - Unhandled error event: Error: connect ECONNREFUSED

Module not found: Can't resolve 'dns'?