mirror of
				https://github.com/go-gitea/gitea.git
				synced 2025-10-26 13:43:53 +00:00 
			
		
		
		
	Backport #35584 by @shashank-netapp # Summary The Gitea codebase was logging `Elasticsearch` and `Meilisearch` connection strings directly to log files without sanitizing them. Since connection strings often contain credentials in the format `protocol://username:password@host:port`, this resulted in passwords being exposed in plain text in log output. Fix: - wrapped all instances of setting.Indexer.RepoConnStr and setting.Indexer.IssueConnStr with the `util.SanitizeCredentialURLs()` function before logging them. Fixes: #35530 Co-authored-by: shashank-netapp <108022276+shashank-netapp@users.noreply.github.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
		| @@ -22,6 +22,7 @@ import ( | |||||||
| 	"code.gitea.io/gitea/modules/process" | 	"code.gitea.io/gitea/modules/process" | ||||||
| 	"code.gitea.io/gitea/modules/queue" | 	"code.gitea.io/gitea/modules/queue" | ||||||
| 	"code.gitea.io/gitea/modules/setting" | 	"code.gitea.io/gitea/modules/setting" | ||||||
|  | 	"code.gitea.io/gitea/modules/util" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| var ( | var ( | ||||||
| @@ -166,12 +167,12 @@ func Init() { | |||||||
| 				log.Fatal("PID: %d Unable to initialize the bleve Repository Indexer at path: %s Error: %v", os.Getpid(), setting.Indexer.RepoPath, err) | 				log.Fatal("PID: %d Unable to initialize the bleve Repository Indexer at path: %s Error: %v", os.Getpid(), setting.Indexer.RepoPath, err) | ||||||
| 			} | 			} | ||||||
| 		case "elasticsearch": | 		case "elasticsearch": | ||||||
| 			log.Info("PID: %d Initializing Repository Indexer at: %s", os.Getpid(), setting.Indexer.RepoConnStr) | 			log.Info("PID: %d Initializing Repository Indexer at: %s", os.Getpid(), util.SanitizeCredentialURLs(setting.Indexer.RepoConnStr)) | ||||||
| 			defer func() { | 			defer func() { | ||||||
| 				if err := recover(); err != nil { | 				if err := recover(); err != nil { | ||||||
| 					log.Error("PANIC whilst initializing repository indexer: %v\nStacktrace: %s", err, log.Stack(2)) | 					log.Error("PANIC whilst initializing repository indexer: %v\nStacktrace: %s", err, log.Stack(2)) | ||||||
| 					log.Error("The indexer files are likely corrupted and may need to be deleted") | 					log.Error("The indexer files are likely corrupted and may need to be deleted") | ||||||
| 					log.Error("You can completely remove the \"%s\" index to make Gitea recreate the indexes", setting.Indexer.RepoConnStr) | 					log.Error("You can completely remove the \"%s\" index to make Gitea recreate the indexes", util.SanitizeCredentialURLs(setting.Indexer.RepoConnStr)) | ||||||
| 				} | 				} | ||||||
| 			}() | 			}() | ||||||
|  |  | ||||||
| @@ -181,7 +182,7 @@ func Init() { | |||||||
| 				cancel() | 				cancel() | ||||||
| 				(*globalIndexer.Load()).Close() | 				(*globalIndexer.Load()).Close() | ||||||
| 				close(waitChannel) | 				close(waitChannel) | ||||||
| 				log.Fatal("PID: %d Unable to initialize the elasticsearch Repository Indexer connstr: %s Error: %v", os.Getpid(), setting.Indexer.RepoConnStr, err) | 				log.Fatal("PID: %d Unable to initialize the elasticsearch Repository Indexer connstr: %s Error: %v", os.Getpid(), util.SanitizeCredentialURLs(setting.Indexer.RepoConnStr), err) | ||||||
| 			} | 			} | ||||||
|  |  | ||||||
| 		default: | 		default: | ||||||
|   | |||||||
| @@ -25,6 +25,7 @@ import ( | |||||||
| 	"code.gitea.io/gitea/modules/process" | 	"code.gitea.io/gitea/modules/process" | ||||||
| 	"code.gitea.io/gitea/modules/queue" | 	"code.gitea.io/gitea/modules/queue" | ||||||
| 	"code.gitea.io/gitea/modules/setting" | 	"code.gitea.io/gitea/modules/setting" | ||||||
|  | 	"code.gitea.io/gitea/modules/util" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| // IndexerMetadata is used to send data to the queue, so it contains only the ids. | // IndexerMetadata is used to send data to the queue, so it contains only the ids. | ||||||
| @@ -100,7 +101,7 @@ func InitIssueIndexer(syncReindex bool) { | |||||||
| 			issueIndexer = elasticsearch.NewIndexer(setting.Indexer.IssueConnStr, setting.Indexer.IssueIndexerName) | 			issueIndexer = elasticsearch.NewIndexer(setting.Indexer.IssueConnStr, setting.Indexer.IssueIndexerName) | ||||||
| 			existed, err = issueIndexer.Init(ctx) | 			existed, err = issueIndexer.Init(ctx) | ||||||
| 			if err != nil { | 			if err != nil { | ||||||
| 				log.Fatal("Unable to issueIndexer.Init with connection %s Error: %v", setting.Indexer.IssueConnStr, err) | 				log.Fatal("Unable to issueIndexer.Init with connection %s Error: %v", util.SanitizeCredentialURLs(setting.Indexer.IssueConnStr), err) | ||||||
| 			} | 			} | ||||||
| 		case "db": | 		case "db": | ||||||
| 			issueIndexer = db.GetIndexer() | 			issueIndexer = db.GetIndexer() | ||||||
| @@ -108,7 +109,7 @@ func InitIssueIndexer(syncReindex bool) { | |||||||
| 			issueIndexer = meilisearch.NewIndexer(setting.Indexer.IssueConnStr, setting.Indexer.IssueConnAuth, setting.Indexer.IssueIndexerName) | 			issueIndexer = meilisearch.NewIndexer(setting.Indexer.IssueConnStr, setting.Indexer.IssueConnAuth, setting.Indexer.IssueIndexerName) | ||||||
| 			existed, err = issueIndexer.Init(ctx) | 			existed, err = issueIndexer.Init(ctx) | ||||||
| 			if err != nil { | 			if err != nil { | ||||||
| 				log.Fatal("Unable to issueIndexer.Init with connection %s Error: %v", setting.Indexer.IssueConnStr, err) | 				log.Fatal("Unable to issueIndexer.Init with connection %s Error: %v", util.SanitizeCredentialURLs(setting.Indexer.IssueConnStr), err) | ||||||
| 			} | 			} | ||||||
| 		default: | 		default: | ||||||
| 			log.Fatal("Unknown issue indexer type: %s", setting.Indexer.IssueType) | 			log.Fatal("Unknown issue indexer type: %s", setting.Indexer.IssueType) | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user