Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

With debug mode on, session token may be logged #869

Closed
lifepillar opened this issue Sep 5, 2022 · 5 comments
Closed

With debug mode on, session token may be logged #869

lifepillar opened this issue Sep 5, 2022 · 5 comments

Comments

@lifepillar
Copy link

lifepillar commented Sep 5, 2022
edited

As far as I understand, \slack register always writes the token in plain text into plugins.var.python.slack.slack_api_token. The token can be subsequently secured as explained in the Readme, but, after that, the token remains fully accessible in plain text in logs/core.weechat.weechatlog and partially accessible in logs/python.slack.<some>-workspace.weechatlog.

The Readme should instruct the user to delete the logs after securing the token. Even better, though, would be if wee-slack (or WeeChat?) didn't log any sensitive information to begin with.

Edit: the session token is not logged by default (good!). It is logged when debug mode is on and the debug level is low enough.
@trygveaa
Copy link
Member

trygveaa commented Sep 5, 2022

Hm, it's not printing the token in the buffer or logs for me. After registering and reloading it just says:

12:38 Success! Added team "<team_name>"
12:38 Please reload wee-slack with: /python reload slack
12:38 If you want to add another team you can repeat this process from step 1 before reloading wee-slack.
12:40 python: unloading script "slack"
12:40 python: script "slack" unloaded
12:40 python: loading script "/home/trygve/dev/wee-slack/wee_slack.py"
12:40 python: registered script "slack", version 2.8.0 (Extends weechat for typing notification/search/etc on slack.com)
12:40 Connecting to 1 slack team.
12:40 Connected to Slack team <team_name> (<team_domain>) with username trygveaa

What does it say for you?

I agree that it would be better to support secure variables in the register command so it wasn't stored in plain text in plugins.var.python.slack.slack_api_token though.

@lifepillar lifepillar changed the title Session token still lingering in the logs after securing it With debug mode on, session token may be logged Sep 5, 2022
@lifepillar
Copy link
Author

I see. The token is not logged by default. It is logged if debug mode is on at a low level (I have tried with level 0). So, I guess this is by design (although I'd rather not log sensitive info under any circumstances…). I have edited the issue accordingly.

it would be better to support secure variables in the register command

Yes, please!

@trygveaa
Copy link
Member

trygveaa commented Sep 5, 2022

Even with debug_level at 0 and debug_mode to true it's not logging the tokens here. The only place it's printed is in the slack-debug buffer, but that buffer is not logged.

Can you post what it logs for you (with the tokens censored)?

@lifepillar
Copy link
Author

Ah, it's only when I set plugins.var.python.slack.slack_api_token manually that the change gets logged. I think this can be closed then.

@trygveaa
Copy link
Member

trygveaa commented Sep 5, 2022

Right if you set it manually as described in the readme, without using /secure, it will be printed. I've updated the readme to include the /mute command so it's not printed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trygveaa @lifepillar