database password logged when SQL error occur

Question

database password logged when SQL error occur

Wingzzzzz opened this issue 5 years ago · 5 comments

iOS 12.4
cordova-sqlcipher-adapter 0.4.1

As function of Cordova-sqlite-storage,
when SQL error occurs,
it logs database open args like:

2019-10-16 18:58:01.136887+0800 MyApp[18299:2294348] ERROR: execute sql with error : { db: 
   { openargs: 
      { name: 'app.db',
        key: 'password1',
        location: 'default',
        dblocation: 'nosync' },
     dbname: 'app.db',
     openSuccess: [Function],
     openError: [Function] },
  fn: [Function],
  error: [Function],
  success: undefined,
  txlock: true,
  readOnly: false,
  executes: [] }

The problem comes to cordova-sqlcipher-adapter is that the password is exposed whenever other get connected to the device to check device log.

Answer 1 · 2019-12-30T03:11:22.000Z

Thanks, please accept my apologies for the extra-long delay. Definitely a security issue!

Answer 2 · 2019-12-30T04:07:00.000Z

no problem, appreciate your effort on the project

Answer 3 · 2020-03-25T00:58:45.000Z

This kind of error log is not in the JavaScript code on this plugin. I think we can close this one.

Answer 4 · 2020-03-25T06:02:29.000Z

have not looked into the logging related code.
but can i say this: options printed are not expected to have sensitive information

Answer 5 · 2020-03-25T21:55:34.000Z

As I tried to explain before that log message is not part of this plugin. A https://stackoverflow.com/help/minimal-reproducible-example is needed to demonstrate your issue. Closing as invalid.