Database connection string gets logged on startup - including password

Question

Database connection string gets logged on startup - including password

MontyD opened this issue 4 years ago · 2 comments

Hello! Thanks for all your work on this project.

I've noticed that when the dashboard starts, the mongo connection string is logged. When connecting to a mongo instance using username and password (e.g. mongodb://username:password@localhost/test) this means that the username and password are also logged.

Could the log line be removed, or perhaps just the database host name be logged instead?

To reproduce:

Run a mongo instance that requires an authenticated user for connection, and then connect to it using the mongo connection string:

WEBSERVICE_DATABASE=mongodb://username:password@mongo/test npm start

See that the username and password is logged on startup.

Answer 1 · 2021-02-09T20:12:32.000Z

Hi @MontyD,

Thanks a lot for reporting the issue. You're right that the username and password shouldn't be logged there. We'll try to have a look at it asap.

Answer 2 · 2021-04-27T14:08:57.000Z

This has now been fixed in v3.2.1 of pa11y-webservice. Pa11y-dashboard v3.3.0 should pick up the latest version of webservice including the fix.

Thanks again for creating the issue!