redis / jedis

Redis Java client
https://redis.github.io/jedis/
MIT License
11.89k stars 3.87k forks source link

DefaultJedisClientConfig password exposure issue #4021

Open ivanfrias opened 2 weeks ago

ivanfrias commented 2 weeks ago

The class DefaultJedisClientConfig overrides the getPassword method that returns a String. Returning a string might be considered a potential security issue since an attacker might inspect the heap and find the value in plaintext. Ideally we should just pass-through the value supplied by the provider here and not create a String based on the char[] array.

Expected behavior

Return a char[] instead of String

Actual behavior

A string is returned.

Steps to reproduce:

N/A

Redis / Jedis Configuration

N/A

Jedis version:

N/A

Redis version:

Java version:

N/A

sazzad16 commented 2 weeks ago

String getPassword() is still there to support legacy applications without breaking. We may remove it at some point in favor of getCredentialsProvider().

sazzad16 commented 2 weeks ago

Tagged 6.0.0 just so it stays in front of eyes more.