Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Bug - Database Password Released to Logs #4376

Closed
michael1800v1 opened this issue Feb 6, 2025 · 1 comment
Closed

Security Bug - Database Password Released to Logs #4376

michael1800v1 opened this issue Feb 6, 2025 · 1 comment
Labels
bug Something isn't working PR welcome Good for new contributor

Comments

@michael1800v1
Copy link

michael1800v1 commented Feb 6, 2025
edited
Loading

Describe the bug

Memos now accepts MEMOS_DSN_FILE env var without modifications, which is great; but then proceeds to dump the password, in plaintext, to the log as it starts up in production mode. I understand doing so in development mode, but database passwords shouldn't be passed in to production logs.

Steps to reproduce

  1. Start memos with any valid configuration that uses the MEMOS_DSN environmental variable.
  2. View logs, specifically under 'Server Profile' immediately after startup (any log verbosity level).

The version of Memos you're using

v0.24.0

Screenshots or additional context

Running in Docker Swarm from Docker Compose (neosmemo/memos:v0.24.0)
@michael1800v1 michael1800v1 added the bug Something isn't working label Feb 6, 2025
@johnnyjoygh johnnyjoygh added the PR welcome Good for new contributor label Feb 7, 2025
@boojack
Copy link
Collaborator

boojack commented Feb 7, 2025

Updated with 9957f8e

@boojack boojack closed this as completed Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working PR welcome Good for new contributor
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@boojack @michael1800v1 @johnnyjoygh