Skip to content

Sanitize credentials in connection string logs#7

Open
rohenaz wants to merge 3 commits intomasterfrom
fix/sanitize-credentials-in-logs
Open

Sanitize credentials in connection string logs#7
rohenaz wants to merge 3 commits intomasterfrom
fix/sanitize-credentials-in-logs

Conversation

@rohenaz
Copy link
Copy Markdown

@rohenaz rohenaz commented Nov 7, 2025
edited
Loading

Problem

Redis connection strings with credentials were being logged in plaintext at all times, exposing sensitive information in application logs.

Example of insecure log output:

Connecting to Redis BeefStorage... redis://default:PASSWORD@redis.railway.internal:6379

Solution

  • Created internal/utils/sanitize.go with SanitizeConnectionString() utility
  • Updated beef/redis.go to use slog.Debug with sanitized connection strings
  • Updated queue/redis.go to use slog.Debug with sanitized connection strings
  • Connection strings now only logged at DEBUG level (not in production)

Result

  • Production: No connection strings logged at all (unless debug level enabled)
  • Debug mode: Passwords redacted in logs:
level=DEBUG msg="Connecting to Redis BeefStorage" url="redis://default:*****@redis.railway.internal:6379"

Security Impact

  • Prevents credential leakage in production logs
  • Uses structured logging (slog) with proper log levels
  • Supports redis://, rediss://, mongodb://, and mongodb+srv:// URLs
  • Maintains full functionality while improving security posture

@rohenaz
Sanitize credentials in connection string logs
524afc8 
- Add SanitizeConnectionString utility to redact passwords from URLs
- Update beef/redis.go to sanitize Redis connection strings in logs
- Update queue/redis.go to sanitize Redis connection strings in logs
- Update dependencies with go mod tidy

Security: Prevents credentials from being leaked in application logs
@rohenaz
Use slog.Debug for connection logging
08bd893 
- Replace log.Println with slog.Debug for structured logging
- Connection strings only logged at DEBUG level
- Prevents logs in production unless debug level is enabled
- Maintains sanitization of credentials when debug is enabled
@rohenaz rohenaz requested a review from shruggr November 7, 2025 16:44
@rohenaz
Sanitize credentials in Redis connection logs
dd49875 
- Add utils.SanitizeConnectionString() to redact passwords
- Update beef/redis.go and queue/redis.go to use slog.Debug()
- Rename cleanConnString to connStringForRedis for clarity
- Remove unused log import from queue/redis.go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shruggr shruggr Awaiting requested review from shruggr

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rohenaz