Skip to content

Fixing issue #35530: Password Leak in Log Messages #35584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Fixing issue #35530: Password Leak in Log Messages #35584

wants to merge 5 commits into from
+7 −5

Conversation

shashank-netapp
Copy link

@shashank-netapp shashank-netapp commented Oct 4, 2025
edited
Loading

Summary

The Gitea codebase was logging Elasticsearch and Meilisearch connection strings directly to log files without sanitizing them. Since connection strings often contain credentials in the format protocol://username:password@host:port, this resulted in passwords being exposed in plain text in log output.

Fix:

  • wrapped all instances of setting.Indexer.RepoConnStr and setting.Indexer.IssueConnStr with the util.SanitizeCredentialURLs() function before logging them.

Fixes: #35530

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 4, 2025
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Oct 4, 2025
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 4, 2025
@techknowlogick techknowlogick added backport/v1.24 This PR should be backported to Gitea 1.24 backport/v1.25 labels Oct 4, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 4, 2025
@wxiaoguang
Copy link
Contributor

It's better to call SanitizeCredentialURLs in EventFormatTextMessage, then all messages are sanitized, nothing will be missing. And it's easier to add a test for EventFormatTextMessage

@shashank-netapp
Copy link
Author

It's better to call SanitizeCredentialURLs in EventFormatTextMessage, then all messages are sanitized, nothing will be missing. And it's easier to add a test for EventFormatTextMessage

That seems more secure, but again this would be adding a few bit of lines to all the log statements and for the majority of time we may not even need it. Is this extra cost acceptable ?

@wxiaoguang
Copy link
Contributor

It's better to call SanitizeCredentialURLs in EventFormatTextMessage, then all messages are sanitized, nothing will be missing. And it's easier to add a test for EventFormatTextMessage

That seems more secure, but again this would be adding a few bit of lines to all the log statements and for the majority of time we may not even need it. Is this extra cost acceptable ?

SanitizeCredentialURLs is designed to be very fast. If the message doesn't look like containing a URL with password, (containing :// and @), it does nothing.

Personally I think it's worth to make the logger system more secure, but I am fine with either (current approach, or calling SanitizeCredentialURLs for all log messages). It's up to the reviewers. @lunny @techknowlogick

@lunny
Copy link
Member

lunny commented Oct 6, 2025
edited
Loading

I think as a quick patch, this is enough.

Adding a log level check requires balancing performance and security. Most log format arguments don’t need such checks, but verifying the log level can help prevent potential leaks of sensitive information.

Alternatively, we could introduce a dedicated type, for example, type SensitiveString string, to explicitly mark and handle sensitive data. This approach would provide a reasonable balance between performance and security. These improvements could be introduced in a separate PR.

@lunny
Copy link
Member

lunny commented Oct 6, 2025

I sent #35594 as an example how it might be.

@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Oct 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunny lunny lunny approved these changes

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees
No one assigned
Labels
backport/v1.24 This PR should be backported to Gitea 1.24 backport/v1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Elasticsearch password print on clear in case of error
5 participants
@shashank-netapp @wxiaoguang @lunny @techknowlogick @GiteaBot