When the nebula-console software is used, the plaintext password is leaked by running the ps -ef command

[cccxgit]

In the startup script of the storaged service container, the nebula-console software is used to perform the add host operation. Also, when I developed the k8s probe, I also used the nebula-console software to check the node serviceability and status.

This has the risk of compromising plaintext password security. When you run the ps -ef command to view the process information, the plaintext password is displayed.

UID        PID  PPID    C STIME  TTY     TIME      CMD
root    33235 32818  0 21:58   pts/1    00:00:00 nebula-console --addr infinitygraph-graphd-headless --port 8888 -u root -p xxxxxxx

[QingZ11]

We will optimize the plaintext display issue and make the modifications in the latest version.

[cccxgit]

Thanks, for your reply
When will the plaintext password issue be resolved? Also, which repository will be modified: nebula-console or nebula?

[MegaByte875]

nebula-console support it now vesoft-inc/nebula-console#239, operator will support in release 1.8.1 recently

[cccxgit]

Thanks, for your reply. Your support has helped us a lot.

I still have some questions and requests for help:

1. I found that the code for this issue has been submitted in the master repository of nebula-console. Is there a compiled binary available for testing?
2. The latest release of nebula-console is 3.6 (this issue is not resolved). Is it possible to incorporate the code of this problem into the V3.6 version? Because we're currently blocked by this security issue.