Closed darklajid closed 3 years ago
artjomsk
commented
4 years ago You can change log level to WARN.
Or Oxalis developers can decrease log level in code you mention to DEBUG or TRACE. I think it's better approach than introducing new parameter.
darklajid
commented
4 years ago You can change log level to WARN.
Have you tried that? Because .. I don't think that works (unless you modify Oxalis itself), because the logging framework loads it configuration file AFTER the settings are getting dumped into the (default) logger as far as I can see.
I think it's better approach than introducing new parameter.
I respectfully disagree. In my opinion, passwords don't belong in (aggregated/potentially shared) logs. I see this as a (debug, dev mode) default behavior that I would love to completely turn off. And a parameter for that doesn't cost a thing/could be a single line check.
open-gdsn
commented
4 years ago Passwords should never be logged in cleartext... Ever... If you want tot test something in relation to passewords, run in a debugger and set breakpoints
theneva
commented
3 years ago I just encountered the plaintext passwords in the log, and considering the amount of work and secrecy required to get a hold of the keystore and password, I find this behaviour shocking.
Please allow us to obscure or drop sensitive fields from the log.
https://github.com/OxalisCommunity/oxalis/commit/99de80f98b1b4beb902dd33baa7c07485ee37595 is a commit from 2013 intending to hide sensitive config fields. Clearly, this change has since been undone. If undoing it was an accident, I think it's important to get it back in. If it was intentional, some documentation on the rationale behind that decision would be valuable – at least I would have known to try to restrict access to this app's logs.
aaron-kumar
commented
3 years ago c91dd30c75cf6ec882bd544ba7fbc9ba80ab8822 will hide sensitive configuration fields . Feel free to contribute (pull request) if you @darklajid want to disable dumping of all settings
aaron-kumar
commented
3 years ago @darklajid Main issue to hide password/sensitive field achieved. If you additionally want to raise PR request for dumping all settings (as you promised when you posted this issue in 2019), then please do so. I am closing this issue now.
Right now, Oxalis dumps all settings to the logs during startup.
That's quite helpful as a default / during troubleshooting, but otherwise quite noisy - and it literally dumps the keystore and certificate password into the logs too.
In my case I have services integrating with Oxalis for outbound transmissions and those are spinning up on demand (so startup logs are a regular thing, removing the noise would be nice). I also don't like the idea of dumping the passwords into logs in general.
Would you accept a pull request introducing a parameter (say 'oxalis.config.dump' - feel free to improve the name) that is a boolean flag defaulting to true? As in, without it being explicitly set to false in the config file, everything stays the same?