-
Notifications
You must be signed in to change notification settings - Fork 12.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remote_cache: Fix redis connstr parsing #18204
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for finding this and contributing your modifications!
I have proposed some additional changes before merging.
return nil, fmt.Errorf("incorrect redis connection string format detected for '%v', format is key=value,key=value", rawKeyValue) | ||
if strings.HasPrefix(rawKeyValue, "password") { | ||
// don't log the password | ||
return nil, fmt.Errorf("incorrect redis connection string format detected for 'password', format is key=value,key=value") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anyway, instead of returning a different error I would proposed to censor the rawKeyValue
.
In that case you could do something like this:
for _, rawKeyValue := range keyValueCSV {
keyValueTuple := strings.SplitN(rawKeyValue, "=", 2)
censored := []byte(rawKeyValue)
if len(keyValueTuple) != 2 {
if strings.HasPrefix(rawKeyValue, "password") {
for i := len("password"); i < len(rawKeyValue); i++ {
censored[i] = '*'
}
}
return nil, fmt.Errorf("incorrect redis connection string format detected for '%v', format is key=value,key=value", string(censored))
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of leaking any information (eg. length of the password) what about the current solution? I think nobody is interested in the correct length so the error should be enough.
- Only one return - Censor the password instead of an own return
b792a40
to
b1321b9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is even better. Just a small improvement.
* origin/master: Replaced ubuntu:latest with ubuntu:18.04; specific image version to make grafana build images consistent (#18224) Build: correct verify script (#18236) remote_cache: Fix redis connstr parsing (#18204) Auth: do not expose disabled user disabled status (#18229) Build: Introduce shellcheck (#18081) Docs: Update documentation with new SAML features (#18163)
* Fix redis connstr parsing * Don’t log the password (cherry picked from commit 3154759)
* Fix redis connstr parsing * Don’t log the password (cherry picked from commit 3154759)
What this PR does / why we need it:
Fixes wrong splitting string after the first
=
, allows usage of base64 passwords like Azure Redis is using.Instead of split the string into multiple pieces only split it into max of 2 pieces.
Which issue(s) this PR fixes:
Fixes #18199
Special notes for your reviewer: