Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Stop writing broker password to the log
See original GitHub issueSoftware versions
- OS: Windows 10
- Library version: 9.0.4
- Node Version: 10.15.3
Expected behaviour
pact-node should not write out the broker password at any time into the log. It should censor the passwords with ***.
Actual behaviour
It writes out the password each time you publish pacts or run the provider verifier. This is mostly a problem on the CI, where the logs may be viewed by everyone and retained forever. It’s bad practice to write any passwords into the log at any time, but pact-node blurts it out every single time:
Pact verifier:
[2019-09-27T09:11:41.655Z] INFO: pact-node@9.0.4/2508 on DESKTOP-FTQEBA5: Verifying Pacts.
[2019-09-27T09:11:41.658Z] INFO: pact-node@9.0.4/2508 on DESKTOP-FTQEBA5: Verifying Pact Files
[2019-09-27T09:11:41.674Z] INFO: pact-node@9.0.4/2508 on DESKTOP-FTQEBA5: Created 'standalone\win32-1.70.2\bin\pact-provider-verifier.bat --provider 'app-api' --provider-states-setup-url 'http://localhost:2999/setup' --provider-base-url 'http://localhost:2999' --out '../../../logs/pact-provider.log' --pact-broker-base-url '[url]' --broker-username 'pact_ro' --broker-password '[removed]'
Pact publisher:
[2019-09-27T09:08:02.263Z] INFO: pact-node@9.0.3/14580 on DESKTOP-FTQEBA5: Publishing Pacts to Broker
[2019-09-27T09:08:02.264Z] INFO: pact-node@9.0.3/14580 on DESKTOP-FTQEBA5: Publishing pacts to broker at: [removed]
[2019-09-27T09:08:02.280Z] INFO: pact-node@9.0.3/14580 on DESKTOP-FTQEBA5: Created 'standalone\win32-1.70.2\bin\pact-broker.bat publish 'C:\Repositories\mobile-app\pacts' --broker-base-url '[url]' --broker-username 'pact_rw' --broker-password '[removed]' --consumer-app-version '5666859' --tag '109''
The only way to stop it from doing that seems to be to increase the log level to WARN. But that also removed some useful messages.
Steps to reproduce
Run either the pact publisher or the pact verifier function of pact-node.
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Ok so I stand corrected then. So pact always blurts out the password, but thankfully the CI (Jenkins) is smart enough to censor it (if its passed as a secret env var).
In this case it’s definitely something to be fixed, as it can’t always rely on the CI to clean up after itself.
So, the password gets printed because it’s passed to the underlying binary as an argument, and the arguments are logged.
One solution could be to downgrade that particular printing to a
DEBUGrather than anINFO. That might be more robust than figuring out which arguments are sensitive and which aren’t. Thoughts?