Errors contain credentials in plaintext

[kibertoad]

When wrong credentials are provided to Redis, this gets logged:

{"level":50,"time":1674832773627,"pid":1,"hostname":"service-79d5f6fb77-gf4ks","type":"ReplyError","message":"WRONGPASS invalid username-password pair or user is disabled.","stack":"ReplyError: WRONGPASS invalid username-password pair or user is disabled.\n    at parseError (/app/node_modules/redis-parser/lib/parser.js:179:12)\n    at parseType (/app/node_modules/redis-parser/lib/parser.js:302:14)","command":{"name":"auth","args":["APPLICATION_USERNAME","APPLICATION_PASSWORD"]}}

APPLICATION_USERNAME and APPLICATION_PASSWORD should not be there.

[kibertoad]

This issue was previously reported: #1229
And there was a proposed fix that was ignored: #1233

[luin]

Hey @kibertoad 👋

Thanks for reporting this! #1233 was a bit too complicated than I thought so it hasn't been merged. If there are easier ways to fix the issue, PRs are welcome!

[Furzel]

Got a similar issue recently, here is the error object :

{
    command: {
      args: [
        '******CLEARTESTUSER******',
        '******CLEARTEXTPASSWORD******',
      ],
      name: 'auth',
    },
    message: 'ERR max number of clients reached',
    stack:   'ReplyError: ERR max number of clients reached
    at parseError (/redacted/node_modules/ioredis/node_modules/redis-parser/lib/parser.js:179:12)
    at parseType (/redacted/node_modules/ioredis/node_modules/redis-parser/lib/parser.js:302:14)',
    type:    'ReplyError',
  }

Will filter out logging when I have command.name === 'auth' in an error for now.