shashank-netapp 03fce8f3d0 Fixing issue #35530: Password Leak in Log Messages (#35584) ...

The Gitea codebase was logging `Elasticsearch` and `Meilisearch`
connection strings directly to log files without sanitizing them. Since
connection strings often contain credentials in the format
`protocol://username:password@host:port`, this resulted in passwords
being exposed in plain text in log output.

Fix:
- wrapped all instances of setting.Indexer.RepoConnStr and
setting.Indexer.IssueConnStr with the `util.SanitizeCredentialURLs()`
function before logging them.

Fixes: #35530

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

2025-10-07 09:26:47 -07:00

9.5 KiB

Raw Blame History

View Raw