-
Notifications
You must be signed in to change notification settings - Fork 701
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New createCurlCmd feature leaks secrets in log when tracing is enabled #828
Comments
@nagius Thanks for reporting it. I agree that adding the method |
While implementing, I decided to change the method name as follows on the Client and Request instances -
|
jeevatkm
added a commit
that referenced
this issue
Sep 3, 2024
… in conjunction with debug mode and few clean ups #828
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The new curl log output introduced by #794 will leak secrets when tracing is enabled. See output example:
For the remaining of the tracing output, it's possible to set a callback with
OnRequestLog()
than will filter out sensitive data like password or tokens from the log output. (See REDACTED output in the above example). This do not affect the generated curl output.This generated Curl output is interesting but only in some usecases. Can we add a flag to disable that feature in the trace output ?
Or better, a flag to explicitly enable it (like
EnableTraceWithCurl()
, with a warning in the docs as this can leak secrets.The text was updated successfully, but these errors were encountered: