sazzad16
commented
2 days ago String getPassword() is still there to support legacy applications without breaking. We may remove it at some point in favor of getCredentialsProvider().
Open ivanfrias opened 2 days ago
sazzad16
commented
2 days ago String getPassword() is still there to support legacy applications without breaking. We may remove it at some point in favor of getCredentialsProvider().
sazzad16
commented
2 days ago Tagged 6.0.0 just so it stays in front of eyes more.
The class DefaultJedisClientConfig overrides the getPassword method that returns a String. Returning a string might be considered a potential security issue since an attacker might inspect the heap and find the value in plaintext. Ideally we should just pass-through the value supplied by the provider here and not create a String based on the char[] array.
Expected behavior
Return a char[] instead of String
Actual behavior
A string is returned.
Steps to reproduce:
N/A
Redis / Jedis Configuration
N/A
Jedis version:
N/A
Redis version:
Java version:
N/A