Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Do not log passwords to console / logs

See original GitHub issue

in openHAB1-addons we recently checked for passwords being logged, however a similar check should be done for openHAB2-addons, the first hit I found was:

https://github.com/openhab/openhab2-addons/blob/5c03ebb95e9177960543aa9db249829071ce7e5e/addons/binding/org.openhab.binding.dscalarm/src/main/java/org/openhab/binding/dscalarm/internal/handler/EnvisalinkBridgeHandler.java#L76

But I expect more hits, so it is about logging passwords for example because of including them in a toString, just because of the plain logging or by putting them in an Exception (message).

Anyone wanting to pick this up is appreciated 😃

Issue Analytics

State:
Created 5 years ago
Comments:6 (6 by maintainers)

Top GitHub Comments

1reaction

cweitkampcommented, Sep 21, 2018

Should we additionally check for context password in the config-description parameters?

<parameter name="password" type="text" required="true">
    <context>password</context>
    <label>Password</label>
    <description>Password to access ...</description>
</parameter>

1reaction

wborncommented, Sep 21, 2018

we recently checked for passwords being logged

Did you also check for pincodes, oauth tokens, private keys etc? Logging those is also problematic when logfiles are attached to issues or posted to forums. I know the Nest binding logs some:

https://github.com/openhab/openhab2-addons/blob/12558ff48b38677b906e227b5d2201cb13a203cf/addons/binding/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/handler/NestBridgeHandler.java#L106-L109

Sometimes these details are also part of sent/received messages that get logged. These are less easy to spot in existing code.

We could also add these practices to the Logging section in the Coding Guidelines.

Top Results From Across the Web

Seven Best Practices for Keeping Sensitive Data Out of Logs

Passwords ; IP addresses may be considered sensitive, especially when in combination with personally identifiable data. This is not an exhaustive ...

Password showing in the console.log output - Is this a security ...

Hello,. SIP Password printed in logs: I noticed that the password from the JsSIP UA configuration is printed to the console logs and...

Does Console.app also log passwords? - Apple Stack Exchange

No, Console won't log any of your passwords. It only logs normal process activity like load, errors, warnings, etc. Certain user activity that...

FIO13-J. Do not log sensitive information outside a trust

1, the LineControl Java client logged sensitive information, including the local user's password, as documented by CVE-2005-2990. The java.util.logging class ...

Keep sensitive values out of your logs with types - Transcend.io

Logs are inherently risky: small mistakes can lead to sensitive data appearing in plaintext in places they shouldn't. No organization can ...