Skip to content

Fixing issue #35530: Password Leak in Log Messages #35584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 7, 2025
Merged

Fixing issue #35530: Password Leak in Log Messages #35584

merged 5 commits into from
Oct 7, 2025

Conversation

shashank-netapp
Copy link
Contributor

@shashank-netapp shashank-netapp commented Oct 4, 2025
edited
Loading

Summary

The Gitea codebase was logging Elasticsearch and Meilisearch connection strings directly to log files without sanitizing them. Since connection strings often contain credentials in the format protocol://username:password@host:port, this resulted in passwords being exposed in plain text in log output.

Fix:

  • wrapped all instances of setting.Indexer.RepoConnStr and setting.Indexer.IssueConnStr with the util.SanitizeCredentialURLs() function before logging them.

Fixes: #35530

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 4, 2025
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Oct 4, 2025
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 4, 2025
@techknowlogick techknowlogick added backport/v1.24 This PR should be backported to Gitea 1.24 backport/v1.25 labels Oct 4, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 4, 2025
@wxiaoguang
Copy link
Contributor

It's better to call SanitizeCredentialURLs in EventFormatTextMessage, then all messages are sanitized, nothing will be missing. And it's easier to add a test for EventFormatTextMessage

@shashank-netapp
Copy link
Contributor Author

It's better to call SanitizeCredentialURLs in EventFormatTextMessage, then all messages are sanitized, nothing will be missing. And it's easier to add a test for EventFormatTextMessage

That seems more secure, but again this would be adding a few bit of lines to all the log statements and for the majority of time we may not even need it. Is this extra cost acceptable ?

@wxiaoguang
Copy link
Contributor

It's better to call SanitizeCredentialURLs in EventFormatTextMessage, then all messages are sanitized, nothing will be missing. And it's easier to add a test for EventFormatTextMessage

That seems more secure, but again this would be adding a few bit of lines to all the log statements and for the majority of time we may not even need it. Is this extra cost acceptable ?

SanitizeCredentialURLs is designed to be very fast. If the message doesn't look like containing a URL with password, (containing :// and @), it does nothing.

Personally I think it's worth to make the logger system more secure, but I am fine with either (current approach, or calling SanitizeCredentialURLs for all log messages). It's up to the reviewers. @lunny @techknowlogick

@lunny
Copy link
Member

lunny commented Oct 6, 2025
edited
Loading

I think as a quick patch, this is enough.

Adding a log level check requires balancing performance and security. Most log format arguments don’t need such checks, but verifying the log level can help prevent potential leaks of sensitive information.

Alternatively, we could introduce a dedicated type, for example, type SensitiveString string, to explicitly mark and handle sensitive data. This approach would provide a reasonable balance between performance and security. These improvements could be introduced in a separate PR.

@lunny
Copy link
Member

lunny commented Oct 6, 2025

I sent #35594 as an example how it might be.

@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Oct 6, 2025
@lunny lunny merged commit 03fce8f into go-gitea:main Oct 7, 2025
26 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Oct 7, 2025
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Oct 7, 2025
zjjhot added a commit to zjjhot/gitea that referenced this pull request Oct 9, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
23b3da5 
* giteaofficial/main:
  Fixing issue go-gitea#35530: Password Leak in Log Messages (go-gitea#35584)
  Move some functions to gitrepo package (go-gitea#35543)
  feat: adds option to force update new branch in contents routes (go-gitea#35592)
  Move archive function to repo_model and gitrepo (go-gitea#35514)
  Use `inputs` context when parsing workflows (go-gitea#35590)
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Oct 9, 2025
@shashank-netapp @lunny @GiteaBot
Fixing issue go-gitea#35530: Password Leak in Log Messages (go-gitea#…
389cda2 
…35584)

The Gitea codebase was logging `Elasticsearch` and `Meilisearch`
connection strings directly to log files without sanitizing them. Since
connection strings often contain credentials in the format
`protocol://username:password@host:port`, this resulted in passwords
being exposed in plain text in log output.

Fix:
- wrapped all instances of setting.Indexer.RepoConnStr and
setting.Indexer.IssueConnStr with the `util.SanitizeCredentialURLs()`
function before logging them.

Fixes: go-gitea#35530

Co-authored-by: Lunny Xiao <[email protected]>
@GiteaBot GiteaBot mentioned this pull request Oct 9, 2025
Merged
6543 pushed a commit that referenced this pull request Oct 9, 2025
@GiteaBot @shashank-netapp @lunny
Fixing issue #35530: Password Leak in Log Messages (#35584) (#35609)
6de2151 
Backport #35584 by @shashank-netapp

# Summary
The Gitea codebase was logging `Elasticsearch` and `Meilisearch`
connection strings directly to log files without sanitizing them. Since
connection strings often contain credentials in the format
`protocol://username:password@host:port`, this resulted in passwords
being exposed in plain text in log output.

Fix:
- wrapped all instances of setting.Indexer.RepoConnStr and
setting.Indexer.IssueConnStr with the `util.SanitizeCredentialURLs()`
function before logging them.

Fixes: #35530

Co-authored-by: shashank-netapp <[email protected]>
Co-authored-by: Lunny Xiao <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunny lunny lunny approved these changes

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees

No one assigned

Labels

backport/v1.24 This PR should be backported to Gitea 1.24 backport/v1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

Elasticsearch password print on clear in case of error

5 participants

@shashank-netapp @wxiaoguang @lunny @techknowlogick @GiteaBot