Hiding credentials in `Bolt.Sips.info`?
dominique-vassard opened this issue · 3 comments
Environment
- Elixir version (elixir -v): 1.8
- Neo4j and version (Neo4j 3.5.3, etc.): 3.5.17
- Connection scheme (
bolt://,bolt+routing://orneo4j://): bolt:// - Bolt.Sips version (mix deps): bolt_sips, "~> 2.0"
- Operating system: Arch Linux
Current behavior
Today Bolt.Sips.info returns something like this:
%{
default: %{
connections: %{direct: %{"localhost:7687" => 0}, routing_query: nil},
user_options: [
socket: Bolt.Sips.Socket,
port: 7687,
routing_context: %{},
schema: "bolt",
hostname: "localhost",
pool_size: 15,
max_overflow: 0,
timeout: 15000,
ssl: false,
with_etls: false,
prefix: :default,
url: "bolt://localhost:7687",
basic_auth: [username: "neo4j", password: "neo4jtest"]
]
}
}
Wouldn't be nice to hide the credentials in it? At least when using a prod env?
Just to add a bit of security.
Do you think it is worthy or not?
Sure, it would be nice. But if you come to think about, who can really run that command? If that person has access to a running app’s shell, he can find those credentials in other places too, among many other and probably even more sensitive details, no?!
We can simply remove the auth creds when we display the info, to be pedantic, yes.
But honestly, I wouldn’t go further than that. Checking if the app runs in prod or ... env ¯_(ツ)_/¯
@dominique-vassard - I added a basic sanitization, in master. HTH?!
Nice!
You're right, that's enough to have some security for unaware people who leaves their session opened for few minutes.
It' just to make things harder for the bad guys ;)