search

Heroic-Games-Launcher / HeroicGamesLauncher

A games launcher for GOG, Amazon and Epic Games for Linux, Windows and macOS.
https://heroicgameslauncher.com
GNU General Public License v3.0
8.25k stars 433 forks source link

[gogdl] remove token string from logs to prevent others downloading games #1020

Closed arrowgent closed 2 years ago

arrowgent commented 2 years ago

Describe the bug

i believe the unique token string from gogdl is the api token for accessing user games

removing this from the log or error logs would avoid people from looking here and using it to access games they do not own and avoid errors submitted with api token keys

Add logs

ERROR: [Backend]: Error: Command failed: /home/catbox/.local/bin/heroic/resources/app.asar.unpacked/build/bin/linux/gogdl info 1207664623 --token="removed" --lang=en-US --os windows

ERROR: [Backend]: Error: Command failed: /opt/Heroic/resources/app.asar.unpacked/build/bin/linux/gogdl info 2 --token="removed" --lang=en-US --os windows

Steps to reproduce

error occurs goes to logs copies log to github issue api token is in the log

Expected behavior

obfuscate tokens from log

Screenshots

No response

System Information

Additional information

No response

flavioislima commented 2 years ago

@imLinguin I believe this was solved long time ago since we are using a protected command for the logs, right?

imLinguin commented 2 years ago

I believe yes, however it still leaks the token in case command fails. Probably catching in those cases would suffice

philipwilk commented 2 years ago

1044 resolves this