Skip to content

Fixing issue #35530: Password Leak in Log Messages (#35584) #35609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 9, 2025
Merged

Fixing issue #35530: Password Leak in Log Messages (#35584) #35609

merged 1 commit into from
Oct 9, 2025
+7 −5

Conversation

GiteaBot
Copy link
Collaborator

@GiteaBot GiteaBot commented Oct 9, 2025

Backport #35584 by @shashank-netapp

Summary

The Gitea codebase was logging Elasticsearch and Meilisearch connection strings directly to log files without sanitizing them. Since connection strings often contain credentials in the format protocol://username:password@host:port, this resulted in passwords being exposed in plain text in log output.

Fix:

  • wrapped all instances of setting.Indexer.RepoConnStr and setting.Indexer.IssueConnStr with the util.SanitizeCredentialURLs() function before logging them.

Fixes: #35530

@shashank-netapp @lunny @GiteaBot
Fixing issue go-gitea#35530: Password Leak in Log Messages (go-gitea#…
389cda2 
…35584)

The Gitea codebase was logging `Elasticsearch` and `Meilisearch`
connection strings directly to log files without sanitizing them. Since
connection strings often contain credentials in the format
`protocol://username:password@host:port`, this resulted in passwords
being exposed in plain text in log output.

Fix:
- wrapped all instances of setting.Indexer.RepoConnStr and
setting.Indexer.IssueConnStr with the `util.SanitizeCredentialURLs()`
function before logging them.

Fixes: go-gitea#35530

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@GiteaBot GiteaBot added the modifies/go Pull requests that update Go code label Oct 9, 2025
@GiteaBot GiteaBot requested a review from lunny October 9, 2025 08:01
@GiteaBot GiteaBot added this to the 1.25.0 milestone Oct 9, 2025
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 9, 2025
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 9, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 9, 2025
@6543 6543 merged commit 6de2151 into go-gitea:release/v1.25 Oct 9, 2025
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silverwind silverwind silverwind approved these changes

@6543 6543 6543 approved these changes

@lunny lunny Awaiting requested review from lunny

@techknowlogick techknowlogick Awaiting requested review from techknowlogick

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code

Projects

None yet

Milestone

1.25.0

Development

Successfully merging this pull request may close these issues.

4 participants

@GiteaBot @silverwind @6543 @shashank-netapp