new relic license key is printed in debug logs #353
Labels
Milestone
Comments
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
New relic license key is logged in debug.
Summary
License key should be masked (or we should just print if it is set or not) and not printed in logs. We don't know who has access to logs (intern in a company can have only view privileges, but can see and potentially misuse the token, token is longed lived and only thing required to send logs/metrics).
This can be misused e.g. increasing company cost, running out of quote etc.
Desired Behaviour
License key (and all sensitive data) should be removed from logs, or masked, or just logged as being set.
TIP: # ( Do NOT give us access or passwords to your New Relic account or API keys! )
Possible Solution
url is built in collector.go rpmURL(...) and then logged in collector.go collector_request(...)
One option could be to return url struct from
rpmULRinstead of string, so we have access to just the host, path and the scheme (for debug log), but also tourl.String()for the url with query.Additional context
The text was updated successfully, but these errors were encountered: