Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] - Mealie exposes sensitive information in log files #4217

Closed
bigcat2014 opened this issue Sep 16, 2024 · 2 comments · Fixed by #4218
Closed

[BUG] - Mealie exposes sensitive information in log files #4217

bigcat2014 opened this issue Sep 16, 2024 · 2 comments · Fixed by #4218
Labels
bug: confirmed bug Something isn't working

Comments

@bigcat2014
Copy link
Contributor

I noticed that Mealie excludes some of the sensitive informatin from the logs, but it does not exclude everything; mainly, it's missing LDAP_QUERY_PASSWORD, OIDC_CLIENT_ID, and OPENAI_API_KEY.

I will open a PR to hopefully fix this issue, although this is my first time contributing to Mealie, so if I miss some spots in the code where this info may be leaked, please let me know and I will correct it.
@michael-genson
Copy link
Collaborator

You should be able to just add those fields here:

mealie/mealie/app.py

Lines 60 to 75 in 8778559

logger.info("-----SYSTEM STARTUP-----")
logger.info("------APP SETTINGS------")
logger.info(
settings.model_dump_json(
indent=4,
exclude={
"SECRET",
"SFTP_PASSWORD",
"SFTP_USERNAME",
"DB_URL", # replace by DB_URL_PUBLIC for logs
"DB_PROVIDER",
"SMTP_USER",
"SMTP_PASSWORD",
},
)
)

@michael-genson
Copy link
Collaborator

Also, please use the bug template next time: https://github.com/mealie-recipes/mealie/issues/new/choose

@michael-genson michael-genson added bug Something isn't working bug: confirmed labels Sep 16, 2024
@michael-genson michael-genson changed the title Mealie exposes sensitive information in log files [BUG] - Mealie exposes sensitive information in log files Sep 16, 2024
@bigcat2014 bigcat2014 mentioned this issue Sep 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug: confirmed bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Exclude additional sensitive information from mealie logs bigcat2014/mealie
2 participants
@bigcat2014 @michael-genson