Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mask passwords in VERBOSE logs when running Phing in debug mode? #1672

Open
amigian74 opened this issue Mar 17, 2022 · 7 comments
Open

Mask passwords in VERBOSE logs when running Phing in debug mode? #1672

amigian74 opened this issue Mar 17, 2022 · 7 comments
Milestone
3.1.0

Comments

@amigian74
Copy link

Is your feature request related to a problem? Please describe.
Right now all properties are logged with VERBOSE level on. This is critical in some situations, especially if passwords are involved (MySql for instance)

Describe the solution you'd like
It wolud be nice to add an attribute (hideoutput=true/false or disguiseoutput=true/false) to solve this problem.
@mrook
Copy link
Member

mrook commented Mar 18, 2022

Hi, not sure I understand what you need. Do you want to change the log level of properties? Or mask some properties in all cases? For which tasks? In which situations? And why do you need to mask it?

@amigian74
Copy link
Author

Hi. The last one. With VERBOSE all properties used in a task are shown in the log. This also shows password properties (for instance for the pdosqlexec task). This is not so good - it would be better to mark such properties always hidden or disguise the output as usual for passwords.

@mrook
Copy link
Member

mrook commented Mar 18, 2022

This is not trivial. Tasks are not in control of the dumping of properties to console under VERBOSE, that's a core Phing capability. We'd need to either add whether a property is sensitive or not, or use regexp masking rules to replace passwords with other characters when under VERBOSE.

Having a "do not dump properties" option while running phing in debug mode is also an option, but feels like a shortcut to fix a symptom.

I'm not entirely sure we need this yet, interested to see what other users think.

@mrook mrook changed the title Disable output of some properties (passwords) Mask passwords in VERBOSE logs when running Phing in debug mode Mar 18, 2022
@mrook mrook changed the title Mask passwords in VERBOSE logs when running Phing in debug mode Mask passwords in VERBOSE logs when running Phing in debug mode? Mar 18, 2022
@mrook
Copy link
Member

mrook commented May 16, 2022

@siad007 WDYT?

@MiRacLe-RPZ
Copy link
Contributor

For my custom-tasks i do something like:

    public function log($msg, $level = Project::MSG_INFO, ?Exception $t = NULL) {
        $msg = preg_replace('~--password="?([^"]+)"?\s~', '--password="******" ', $msg);
        $this->project->logObject($this, $msg, $level, $t);
    }

No idea how to do this globally, but per task we can hide sensitive data by this way.

@siad007
Copy link
Member

siad007 commented Jun 29, 2022
edited

We could simply introduce a listener, which could hide by configuration either

  • all properties or
  • properties by regex or
  • some global definable things like user/password from url etc.

Advantage of a listener instead of a logger: we could combine this with other listeners and/or a logger.

@jawira
Copy link
Contributor

jawira commented Sep 8, 2022

I was reading this RFC Redacting parameters in back traces and I remembered this issue. Maybe it can be useful, at least as inspiration?

@mrook mrook added this to the 3.1.0 milestone Nov 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
3.1.0
Development

No branches or pull requests
5 participants
@mrook @jawira @MiRacLe-RPZ @siad007 @amigian74