Summary
Database password is exposed in the logs when showing the database connection string:
- Run a postgres database
- Clone project
- Change env to point to this database
- run the code
pnpm install
cd /app/packages/hoppscotch-backend/ || exit
pnpm run start:prod
Details
If exposed sensitive information in the server logs is a security risk like is exposed here this need to be address.
PoC
- Run the docker compose with database connect settings
- Open docker compose logs
Impact
Every one that can read the server logs.
Summary
Database password is exposed in the logs when showing the database connection string:
Details
If exposed sensitive information in the server logs is a security risk like is exposed here this need to be address.
PoC
Impact
Every one that can read the server logs.