-
Type: Task
-
Resolution: Won't Do
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Security
-
None
Broken off from https://github.com/10gen/compass/pull/939
durran.jordan suggested:
I'm actually against this as this specific debug helped track down the issue with a customer on the libsecret problem - as I could see the connection details in the logs. In production, the password is redacted:
mongodb-compass:models:connection Testing connection to `
Unknown macro: {"name"}`... +22s
thomasr says:
We can't leave it in like that for production. Huge potential for PR disaster. Either we redact in production or take that whole line out.
durran.jordan says:
Yeah I would prefer redacting as the connection information has been very useful in debuggin issues.
lucas.hrabovsky says:
The redact-secrets module could be helpful here:
> Deeply iterate over an object and redact secret values by replacing them with a predefined string.
Combine with an override of debug#formatArgs() should give the desired result (something like the below)
var debug = require('debug'); var _format = debug.formatArgs; var redact = require('redact-secrets')('[REDACTED]'); debug.formatArgs = function(...args) { const redactedArgs = args.map((arg) => (typeof arg === 'object') ? redact.map(arg) : arg); return _format.apply(debug, redactedArgs); };
- related to
-
COMPASS-2332 Write to Log File in Production
- Closed