Registry token shown in debug logs #9822

pietroalbini · 2021-08-22T14:07:17Z

Problem

When publishing a crate with debug logging enabled, the full, plaintext registry token is included in the output. This is bad when users are trying to figure out what's wrong with cargo publish and end up sending their logs to another person to help debugging, or worse they post the log in a public issue.

Steps

CARGO_LOG=debug cargo publish 2>&1 | grep "found token \"cio"

Possible Solution(s)

The log message is defined here:

cargo/src/cargo/ops/registry.rs

Line 485 in 216f915

log::debug!("found token {:?}", token);

The log message should either be removed or it should be changed to only display the last N chars of the API token (to still allow someone debugging cargo to know which token it picked up).

Notes

Output of cargo version:

cargo 1.54.0 (5ae8d74b3 2021-06-22)
release: 1.54.0
commit-hash: 5ae8d74b3b2d58f32c8d357e5cfa04d430a70e0b
commit-date: 2021-06-22

The text was updated successfully, but these errors were encountered:

Rustin170506 · 2021-09-01T14:30:44Z

@rustbot claim

pietroalbini added the C-bug Category: bug label Aug 22, 2021

rustbot assigned Rustin170506 Sep 1, 2021

Rustin170506 mentioned this issue Sep 4, 2021

Remove log output that may leak tokens #9873

Merged

bors closed this as completed in e515c32 Sep 8, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Registry token shown in debug logs #9822

Registry token shown in debug logs #9822

pietroalbini commented Aug 22, 2021 •

edited by rustbot

Loading

Rustin170506 commented Sep 1, 2021

Registry token shown in debug logs #9822

Registry token shown in debug logs #9822

Comments

pietroalbini commented Aug 22, 2021 • edited by rustbot Loading

Rustin170506 commented Sep 1, 2021

pietroalbini commented Aug 22, 2021 •

edited by rustbot

Loading