Skip to content

#inspect-ing an instance of Net::LDAP leaks auth credentials (username and password instance variables) #216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
astockwell opened this issue Sep 11, 2015 · 2 comments
Closed

#inspect-ing an instance of Net::LDAP leaks auth credentials (username and password instance variables) #216

astockwell opened this issue Sep 11, 2015 · 2 comments

Comments

@astockwell
Copy link
Contributor

Example:

c = Net::LDAP.new(conn_hash)
p c
=> #<Net::LDAP:0x007ffc6698a9f8 
    @host="server-001", 
    @port=636, 
    @verbose=false, 
    @auth={:method=>:simple, :username=>"cn=user,o=org", :password=>"supersecret"}, 
    @base="dc=com", 
    @force_no_page=false, 
    @encryption={:method=>:simple_tls, :tls_options=>{}}, 
    @instrumentation_service=nil, 
    @open_connection=nil, 
    @result=#<Net::LDAP::PDU:0x007ffc669895f8 
    @message_id=1, 
    @app_tag=1, 
    @ldap_controls=[], 
    @ldap_result={:resultCode=>0, :matchedDN=>"", :errorMessage=>""}>>

This can be worked around when using this gem by wrapping Net::LDAP in another class, but I don't imagine this is desirable behavior.

Could something be done similar to GitHub's octokit gem (highlighted LOC here) to mask them (or remove entirely)?
@jch
Copy link
Member

jch commented Sep 11, 2015

@astockwell that's a great suggestion! Would you be interested in opening up a PR with a test?

@astockwell
Copy link
Contributor Author

You got it 👍

@jch jch closed this as completed in b0bf551 Sep 17, 2015
jch added a commit that referenced this issue Sep 17, 2015
@jch
Merge pull request #217 from astockwell/feature/obscure_auth
49c0265 
obscure auth password upon #inspect, added test, closes #216
astratto pushed a commit to astratto/ruby-net-ldap that referenced this issue Dec 18, 2015
@astockwell
obscure auth password upon #inspect, added test, closes ruby-ldap#216
e75b03f
astratto pushed a commit to astratto/ruby-net-ldap that referenced this issue Dec 18, 2015
@jch
Merge pull request ruby-ldap#217 from astockwell/feature/obscure_auth
1f9bb0d 
obscure auth password upon #inspect, added test, closes ruby-ldap#216
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jch @astockwell