User credentials stored in clear text in a stack trace and log

[drhirn]

While writing an issue about an error while logging in using an LDAP user ( #8510 ), I noticed that I had username and password of the user in the stack-trace and the logfile. Not quite sure, if this is a good thing.

#2 /data/vhosts/snipeit/app/Http/Controllers/Auth/LoginController.php(146): App\\Services\\LdapAd->ldapLogin('<user>', '<password>')

Using:

• Snipe-IT Version v5.0.0-beta-7-GM
• OS: RedHat 7
• Web Server: Apache
• PHP Version 7.3
• Microsoft Active Directory

[uberbrady]

I was able to reproduce this too, and I talked it over with @snipe and our current thinking is that if you only get it when you're in Debug mode, then it's probably OK.

Can you confirm you were in Debug mode? Because if not - yes, you're absolutely right, this is definitely not something we want to do at all.

[drhirn]

Yes, I was in Debug mode. Should have stated this.

Nevertheless I'm still thinking, this is a bad idea. Debug mode or not.

[drhirn]

Tested again. Doesn't matter if Debug mode or not. The credentials are always in laravel.log.

[uberbrady]

Yeah, that is very not cool. I don't know how we can tell the library that we're consuming not to do that though. I'll try and figure something out.