Closed mashhurs closed 1 year ago
When --debug is enabled, there might be a leak of sensitive data such as security_token in the debug log in Logstash-code.
--debug
security_token
# config input { salesforce { client_id => "OAUTH_CLIENT_ID_FROM_YOUR_SFDC_APP" client_secret => "OAUTH_CLIENT_SECRET" username => "email@example.com" password => "super-secret" security_token => "SECURITY_TOKEN" sfdc_object_name => "Opportunity" } } output { stdout {} }
# Log before change [2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@password = "super-secret" [2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@sfdc_object_name = "Opportunity" [2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@security_token = "SECURITY_TOKEN" [2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@client_secret = "OAUTH_CLIENT_SECRET" [2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@id = "bd7dc92c85796c3ea5c00db2b609c7de40dbe32a5b98bf14df4a66139f117090" [2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@client_id = "OAUTH_CLIENT_ID_FROM_YOUR_SFDC_APP"
Issue description
When
--debugis enabled, there might be a leak of sensitive data such assecurity_tokenin the debug log in Logstash-code.How to reproduce?