-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mask the credentials in the build output #9
Comments
Good idea, I'll look into that when I find some time. You can feel free to submit a patch as well. |
The PR that I just opened is pretty aggressive, because it ends up removing most of the output. I'm not sure that it is a huge problem because the If you think there is some value to keeping some of the output behind some sort of debug flag, I would suggest at least hiding it by default. I know I made the incorrect assumption that credentials would be hidden by default and only realized it when I was going through the log to understand a different issue, meaning I will need to reset my database url and credentials to keep things secure. Thanks for being open to getting this handled. |
@zero5100 did you happen to have thoughts about this PR? I would love to see this pulled in and have a release cut that includes the jars since this is currently blocking me from moving forward with one of my projects. I would normally reference my own branch, but since master does not include the jars, I can't do that easily. I assume the addition of the jars must be part of publishing to npm? |
@travi I have not taken the time to thoroughly look into the problem yet, but it looks like that PR would not be able to be merged right now as written. It should be pointed at the upstream develop branch instead of master, and we would probably want to add a verbose/debug flag that enables the extra output. I think ideally it would show the normal debug output that it does right now except we would mask the password as ***** or something. It would probably be safe to leave the username in the output, but that could be moved the verbose output as well if you wanted to be extra safe. I would encourage you to create and use your own fork for now if it is blocking you; I can't guarantee when any new changes would make it into master. Once #7 is merged into develop and then master the jars will be included. |
Thank you for the additional information. I agree that truly masking the sensitive information would be ideal, but since the output is currently directly dumped, it would take a bit of fairly specific processing to do that type of masking. I do think that it is important to mask the It sounds like some pieces need to come together for this to be included in a release, but it also sounds like you are on top of it. For now, it probably makes sense for me to close the current PR and let you take the first steps. I'm happy to help out as things move closer, so don't hesitate to ping me at the appropriate time. |
Sounds good, thanks. |
…ormation is not exposed in the build output for #14 until gomoob/grunt-flyway#9 is resolved
no matter how carefully the credentials are passed to the task, they are printed in the build output, where anyone with access to the build can see them. flyway itself is careful to prevent this.
Could something be done to mask at least the credentials in the output?
The text was updated successfully, but these errors were encountered: