Passwords in logs
Issue #28
resolved
When we use this plugin and enable detailed logging, the passwords are present in log files. Can we have that removed from log file? Also how is the password management done with this plugin? Where are the passwords stored? Aren't they encrypted?
Comments (5)
-
-
reporter
Thanks. Since its a critical scenario can we have this done on priority? Also can I know where can I find hook-settings? I have the admin rights on bitbucket but could not find anything regarding passwords. The settings->hook->gives a way to configure the hook (thats what I see). Please let me know how to I get to hook-settings? Thanks.
-
reporter
I just checked the Audit Log in Bitbucket and found that BitBucket also logs the hook settings so my password was there in plain text as well.
Is there any update son this issue ?
-
- changed status to resolved
remove pass from debug log (FIX:
#28)→ <<cset cd09971a13a9>>
-
Hi Richa,
the password is now removed in from the logs. But there is no way to remove them from the audit logs. And as I have to store them somehow plain text on the server or at least encrypt them in a reversable fashion, they can never be safe against an attack from within - someone with admin privileges.
Best, Alex
- Log in to comment
Hi @girlrichie,
yes, you are right. Although only with debugging enabled, passwords should never appear in the log. I will fix that. As to the passwords and where they are being stored, all data is stored in the hook-settings and the password cannot be "encrypted" as it has to be sent plain-text (base64 encoded) to the webserver with basic auth. But this key-value store can only be accessed by users having access to that hook-section.
Best, Alex