[BUG] Redis password gets exposed in info logs when redis username is empty - Githubissues

ContentSquare / chproxy

Open-Source ClickHouse http proxy and load balancer

https://www.chproxy.org/

MIT License

1.28k stars 259 forks source link

[BUG] Redis password gets exposed in info logs when redis username is empty #398

Closed smunukutla-mycarrier closed 7 months ago

smunukutla-mycarrier commented 7 months ago

Describe the bug Redis password gets exposed in info logs when Redis username is an empty string in Chproxy config.

To Reproduce In a case where we do not provide a Redis username and leave Caches.Redis.Username empty. Leaving username as empty string exposes the Redis password in the info logs.

Example config to reproduce the scenario:

caches:
  - name: "shortterm"
    mode: "redis"
    redis: 
      insecure_skip_verify: true
      addresses: 
        - "somewhere-redis-master:6379"
      username: ""
      password: ${REDIS_PASSWORD}
    expire: 5m
    grace_time: 20s

Expected behavior Redis password should be masked as XXX in the info logs. Screenshots added below.

Screenshots Current behavior: Snippet from info logs:

Expected behavior:

Environment information OS: Linux/Amd64 Chproxy: v1.26.0

Additional context None

mga-chka commented 7 months ago

I'm closing the issue since the fix was merged