-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(security): avoid password leaks on query logs #5559
Conversation
Signed-off-by: Andres Correa Casablanca <castarco@coderspirit.xyz>
Hi @tgriesser & @kibertoad , I'm sorry for adding direct mentions, but I have the feeling that this PR fixes a serious issue, and it can be easy that it gets lost among the dozens of automated PRs produced by bots. |
Signed-off-by: Andres Correa Casablanca <castarco@coderspirit.xyz>
check for object to be defined before accessing property Signed-off-by: Andres Correa Casablanca <castarco@coderspirit.xyz>
Signed-off-by: Andres Correa Casablanca <castarco@coderspirit.xyz>
@castarco Thanks for the PR by the way, the error is on the "master" branch and not in your PR. |
Thanks @OlivierCavadenti 😃 , I was investigating now what I might have broken. It will save me some time! |
Signed-off-by: Andres Correa Casablanca <castarco@coderspirit.xyz>
Any news on whether this will be approved/rejected/merged? From our side it's not urgent, because we are using |
@OlivierCavadenti any update on this? |
@Eomm sorry for the delay. |
Is it possible that this has broken auth in 2.5.0? We've started to get auth issues for the 2.4.0 -> 2.5.0 Knex bump PR in Ghost: https://github.com/TryGhost/Ghost/actions/runs/5505546016/jobs/10033054604?pr=17254#step:11:283
|
I'll check. It could be related. |
Thanks ! |
Yes, it looks exactly the same as in my case 😄 |
I didn't had time this past night to fix it as I was low on energy, but I was walking through the code and I already have some idea of how to fix it. Hopefully today I'll be able to post a patch. Again, sorry for the disturbance. |
No problem, we all deal with our personal life, do as you can |
Hi, But after upgrading to v2.5.0, it fails with the error:
So what's your suggestion for injecting the password? This is my knexfile.ts : import * as process from 'process';
require('ts-node/register');
import config from 'config';
export interface KnexConfig {
// knex fields
}
const originalConfig: KnexConfig = config.get('postgres');
// Create a new object with the modified password value
const postgres: KnexConfig = {
...originalConfig,
connection: {
...originalConfig.connection,
password: process.env.PG_PASSWORD,
},
};
export default postgres; Does it makes sense? |
Just as a note, this broke our integrations tests since we now cannot reuse the same object with the configurations between scenarios. We have to clone the object for each instantiation of knex otherwise we get Easy fix on our side, but just registering here so other might know. |
Motivation:
We detected that under certain conditions, passwords could be leaked through logs, when executing code such as:
In our case, the logger was
Pino
, this problem doesn't necessarily happen with other loggers (as they might use differentserialisation methods).
Fixes:
Changes: