Logs expose credentials - VulnerabilityΒ #198
Description
β Have you read and understood the above guidelines?
yes
π Provide a clear and concise description of the issue.
This isn't actually a bug but more of a security vulnerability item. When posting usernames and passwords or SSH keys and passwords, the log exposes them in plain text. This can be considered a security vulnerability, and should be addressed.
When adding my servers to the app, I received an error due to the port not being an integer(another report), I was able to check the log and see in plain text my credentials for each of the servers.
π Steps to reproduce the issue.
- Add a server
- Cause an error on the page
- Check System Logs
- See plaintext password
β Paste the full error output (if available).
Oct 18 13:05:07 pve-scripts-local npm[2878]: Invalid prisma.server.create() invocation:
Oct 18 13:05:07 pve-scripts-local npm[2878]: {
Oct 18 13:05:07 pve-scripts-local npm[2878]: data: {
Oct 18 13:05:07 pve-scripts-local npm[2878]: name: "Server",
Oct 18 13:05:07 pve-scripts-local npm[2878]: ip: "x.x.x.x",
Oct 18 13:05:07 pve-scripts-local npm[2878]: user: "redacted",
Oct 18 13:05:07 pve-scripts-local npm[2878]: password: "redacted",
Oct 18 13:05:07 pve-scripts-local npm[2878]: auth_type: "password",
Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_key: "",
Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_key_passphrase: "",
Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_port: "22",
Oct 18 13:05:07 pve-scripts-local npm[2878]: ~~~~
Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_key_path: null,
Oct 18 13:05:07 pve-scripts-local npm[2878]: key_generated: false,
Oct 18 13:05:07 pve-scripts-local npm[2878]: color: "#3b82f6"
Oct 18 13:05:07 pve-scripts-local npm[2878]: }
Oct 18 13:05:07 pve-scripts-local npm[2878]: }
πΌοΈ Additional context (optional).
There may need be a layer between the app and the log that can redact credentials to prevent a potential attack surface if someone was able to expose those logs.