Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: quay-v3.12.4
Affects Version/s: quay-v3.12.0
Component/s: quay
Labels:
- quay
- triaged
- validator

Blocked:
False
Blocked Reason:
None
Ready:
False
Product:
Quay Enterprise
Intelligence Requested:
Market:

Target Version:

quay-v3.12.4

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

PX Impact Score:
PX Review Complete:

During Quay bootstrap, if debugging is enabled, the validator will print out the database URI exactly as it stands, without obfuscating the password:

time="2024-10-09T14:51:20Z" level=debug msg="Pinging database at postgresql://QUAY_USER:PasswordDB_unencrypted@POSTGRESQL_HOSTNAME/quaydb"

This might be perceived as a security concern. A better option would be to obfuscate the password part during printout.

links to

quay/quay#3332: validator: Remove logging of database password (PROJQUAY-8059)

quay/quay#3335: [redhat-3.13] validator: Remove logging of database password (PROJQUAY-8059)

quay/quay#3337: [redhat-3.12] validator: Remove logging of database password (PROJQUAY-8059)

RHBA-2024:139899 Red Hat Quay v3.12.4 bug fix release

mentioned on

Merge request - Updated US source to: 785a8bd [redhat-3.13] validator: Remove logging of database password (PROJQUAY-8059) (#3335)

Merge request - Updated US source to: 902e074 [redhat-3.12] validator: Remove logging of database password (PROJQUAY-8059) (#3337)

(1 mentioned on)

Assignee:: Ivan Bazulic

Reporter:: Ivan Bazulic

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/10/09 3:50 PM

Updated:: 2024/10/31 9:10 AM

Resolved:: 2024/10/31 9:10 AM