Change sensitive config types to `Password`.
mashhurs opened this issue · 0 comments
mashhurs commented
Issue description
When --debug
is enabled, there might be a leak of sensitive data such as security_token
in the debug log in Logstash-code.
How to reproduce?
# config
input {
salesforce {
client_id => "OAUTH_CLIENT_ID_FROM_YOUR_SFDC_APP"
client_secret => "OAUTH_CLIENT_SECRET"
username => "email@example.com"
password => "super-secret"
security_token => "SECURITY_TOKEN"
sfdc_object_name => "Opportunity"
}
}
output {
stdout {}
}
# Log before change
[2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@password = "super-secret"
[2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@sfdc_object_name = "Opportunity"
[2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@security_token = "SECURITY_TOKEN"
[2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@client_secret = "OAUTH_CLIENT_SECRET"
[2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@id = "bd7dc92c85796c3ea5c00db2b609c7de40dbe32a5b98bf14df4a66139f117090"
[2022-12-01T18:05:17,380][DEBUG][logstash.inputs.salesforce] config LogStash::Inputs::Salesforce/@client_id = "OAUTH_CLIENT_ID_FROM_YOUR_SFDC_APP"