[Feature Request] Redact credentials from logs with when YAML fails to parse

[bphenriques]

Description

I have the following setup for Glances widget and I made a mistake when setting up the URL:

- glances:
    url: http://glances:61208
    username: glances
    password: {{HOMEPAGE_VAR_GLANCES_PASSWORD}}
    cpu: true
    mem: true
    cputemp: true
    uptime: true
    expanded: true
    disk:
      - /volume1
      - /volume2

I was surprised to see this in the logs:

homepage  | Data: {"type":"Buffer","data":[]}
homepage  | [2024-02-02T21:13:20.427Z] error: Failed to load widgets, please check widgets.yaml for errors or remove example entries.
homepage  | [2024-02-02T21:13:20.427Z] error: named tag handle cannot contain such characters (4:30)
homepage  | 
homepage  |  1 | - glances:
homepage  |  2 |     url: http://glances:61208
homepage  |  3 |     username: glances
homepage  |  4 |     password: redacted
homepage  | ----------------------------------^
homepage  |  5 |     cpu: true
homepage  |  6 |     mem: true

The fields related with credentials should not be logged, or should be at least redacted.

Other

No response

[glime-ai[bot]]

It appears that the issue you're encountering is related to the use of a placeholder or variable within your configuration file that is not being properly recognized or parsed. The error message named tag handle cannot contain such characters suggests that there is a syntax error in the YAML file, likely around the line where you're using {{HOMEPAGE_VAR_GLANCES_PASSWORD}}.

To resolve this issue, you should ensure that you are using the correct syntax for environment variables or placeholders in your configuration file. If {{HOMEPAGE_VAR_GLANCES_PASSWORD}} is meant to be an environment variable, you may need to use a different syntax that is supported by the application you are configuring.

Additionally, it's good practice to keep sensitive information such as passwords out of log files. If the application is logging sensitive information, you may want to check the documentation or support resources for information on how to prevent this from happening.

If you could clarify whether {{HOMEPAGE_VAR_GLANCES_PASSWORD}} is intended to be an environment variable or a placeholder for manual replacement, I could provide more specific guidance.

Regarding the concern about credentials being logged, it's important to check the application's documentation or configuration settings to see if there is an option to enable redaction of sensitive information in logs. If such an option is not available, you may want to raise this as a security concern with the developers of the application.

Could you please confirm if {{HOMEPAGE_VAR_GLANCES_PASSWORD}} is an environment variable or a placeholder, and if you have any specific questions about changing the syntax or preventing sensitive information from being logged?

---

Thanks for posting a discussion about homepage here on GitHub. Homepage now uses a fancy new AI tool thanks to our friends at Glime, so the answer below is the AI bot's attempt to answer your question. If you feel it's sufficient you can mark the answer and close this post, otherwise feel free to leave it open of course!

Thanks for using Homepage! ❤️

This comment was generated by Glime.

[bphenriques]

missed the mark, sorry 😝

[shamoon]

Actually I think the bot is not so wrong. This error is an issue in the yaml and the output is telling you where it failed. I believe the output comes from the yaml parsing library. Otherwise passwords / keys are redacted from the logs IIRC

[bphenriques]

I take what I said. You are right that the bot was not actually wrong, I had to quote the {{HOMEPAGE_VAR_GLANCES_PASSWORD}} due to special characters inside. Good bot, I was wrong 👍

On the other hand, it would be best if these sensitive fields don't be logged at all even if there is a configuration issue. That is easier said than done given that this must be a direct error from the parser. Perhaps can point to the faulty field file instead?

I leave it to your discretion.

[bphenriques]

Also renamed the discussion to be more clear.