Stop writing broker password to the log
See original GitHub issueSoftware versions
- OS: Windows 10
- Library version: 9.0.4
- Node Version: 10.15.3
Expected behaviour
pact-node
should not write out the broker password at any time into the log. It should censor the passwords with ***
.
Actual behaviour
It writes out the password each time you publish pacts or run the provider verifier. This is mostly a problem on the CI, where the logs may be viewed by everyone and retained forever. It’s bad practice to write any passwords into the log at any time, but pact-node
blurts it out every single time:
Pact verifier:
[2019-09-27T09:11:41.655Z] INFO: pact-node@9.0.4/2508 on DESKTOP-FTQEBA5: Verifying Pacts.
[2019-09-27T09:11:41.658Z] INFO: pact-node@9.0.4/2508 on DESKTOP-FTQEBA5: Verifying Pact Files
[2019-09-27T09:11:41.674Z] INFO: pact-node@9.0.4/2508 on DESKTOP-FTQEBA5: Created 'standalone\win32-1.70.2\bin\pact-provider-verifier.bat --provider 'app-api' --provider-states-setup-url 'http://localhost:2999/setup' --provider-base-url 'http://localhost:2999' --out '../../../logs/pact-provider.log' --pact-broker-base-url '[url]' --broker-username 'pact_ro' --broker-password '[removed]'
Pact publisher:
[2019-09-27T09:08:02.263Z] INFO: pact-node@9.0.3/14580 on DESKTOP-FTQEBA5: Publishing Pacts to Broker
[2019-09-27T09:08:02.264Z] INFO: pact-node@9.0.3/14580 on DESKTOP-FTQEBA5: Publishing pacts to broker at: [removed]
[2019-09-27T09:08:02.280Z] INFO: pact-node@9.0.3/14580 on DESKTOP-FTQEBA5: Created 'standalone\win32-1.70.2\bin\pact-broker.bat publish 'C:\Repositories\mobile-app\pacts' --broker-base-url '[url]' --broker-username 'pact_rw' --broker-password '[removed]' --consumer-app-version '5666859' --tag '109''
The only way to stop it from doing that seems to be to increase the log level to WARN. But that also removed some useful messages.
Steps to reproduce
Run either the pact publisher or the pact verifier function of pact-node
.
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Troubleshoot self-service password reset writeback- Azure ...
Learn how to troubleshoot common problems and resolution steps for self-service password reset writeback in Azure Active Directory.
Read more >Mosquitto Username and Password Authentication
In this tutorial we look at how to configure username and password restrictions on the mosquitto broker, and look how it works by...
Read more >How do I set up SSH so I don't have to type my password?
If you load your private key into a ssh agent, it will hold the decrypted key in memory. We want this to avoid...
Read more >Setting up Authentication in Mosquitto MQTT Broker - Medium
Password file will contain your username and the encrypted password. Run the following command to create and add a user to this file....
Read more >Protecting Your Online Investment Accounts from Fraud
Use different passwords for different online accounts (i.e., brokerage, banking, retirement, or other similar financial accounts). Avoid using ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Ok so I stand corrected then. So pact always blurts out the password, but thankfully the CI (Jenkins) is smart enough to censor it (if its passed as a secret env var).
In this case it’s definitely something to be fixed, as it can’t always rely on the CI to clean up after itself.
So, the password gets printed because it’s passed to the underlying binary as an argument, and the arguments are logged.
One solution could be to downgrade that particular printing to a
DEBUG
rather than anINFO
. That might be more robust than figuring out which arguments are sensitive and which aren’t. Thoughts?