search

ryanwinchester / tmi.ex

Twitch Messaging Interface for Elixir.
Apache License 2.0
42 stars 7 forks source link

Passwords are exposed in error logs #6

Closed xtagon closed 2 years ago

xtagon commented 3 years ago

Hi,

When TMI terminates, an error is logged to the console (I'm using Phoenix Framework) which includes the Twitch OAuth token.

For example:

[info] 'Connection to irc.chat.twitch.tv:6697 closed!'
[debug] [TMI] Disconnected
[debug] [TMI] Disconnected from irc.chat.twitch.tv:6697
[warn] [TMI] Terminating...
[error] GenServer TMI.Handlers.ConnectionHandler terminating
** (MatchError) no match of right hand side value: {:error, :not_connected}
    (tmi 0.3.1) lib/tmi/client.ex:117: TMI.Client.quit/2
    (tmi 0.3.1) lib/tmi/handlers/connection_handler.ex:50: TMI.Handlers.ConnectionHandler.terminate/2
    (stdlib 3.13) gen_server.erl:718: :gen_server.try_terminate/3
    (stdlib 3.13) gen_server.erl:903: :gen_server.terminate/10
    (stdlib 3.13) proc_lib.erl:226: :proc_lib.init_p_do_apply/3
Last message: :disconnected
State: %TMI.Conn{caps: ["tags", "commands"], chats: ["mychannel"], client: #PID<0.460.0>, name: "myname", nick: "myname", pass: "oauth:mytoken", port: 6697, server: "irc.chat.twitch.tv", user: "myname"}
[debug] [TMI] Connecting to irc.chat.twitch.tv:6697...

I have redacted it in this example of course.

The Phoenix logger has a configuration option for filtering passwords from the logs, but I don't think this applies to error dumps like this.

ryanwinchester commented 3 years ago

Probably fixed in 33f90c1e5a591fffd31184373868a7a08b71ad00, but will need to test.