Project

General

Profile

Actions
Copy link

Patch #43986

open

add twofa_totp_key to the config.filter_parameter

Added by Julian Hanzlik about 14 hours ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-

Description

While working with the application, I encountered an unexpected error that resulted in the following log entry:


[request-id] ActionView::Template::Error 
[557a2650-c33f-4f3b-8b92-6ba7b9dac904] ActionView::Template::Error (No route matches {:action=>"show", :controller=>"doorkeeper/people", :id=>#<User id: xxx, login: "xxx", hashed_password: [FILTERED],
firstname: "xxx", lastname: "xxx", admin: xxx, status: 1, last_login_on: "xxx", language: "en", auth_source_id: nil, created_on: "xxx", updated_on: "xxx", type: "User", mail_notification: "only_my_events",
salt: "xxx", must_change_passwd: false, passwd_changed_on: "xxx", twofa_scheme: "totp", twofa_totp_key: <KEY_IN_CLEARTEXT>, twofa_totp_last_used_at: xxx, twofa_required: xxx>}):

The log output includes sensitive information, specifically the twofa_totp_key , which is written in plain text . This poses a security risk, as such secrets should never be exposed in application logs.

Expected Behavior

Sensitive attributes such as twofa_totp_key (and similar authentication-related fields) should always be properly filtered or masked in logs.

Actual Behavior

The twofa_totp_key is logged in clear text as part of the serialized User object within the error message.

Impact

This could potentially expose confidential authentication data if logs are accessed by unauthorized parties or stored in insecure locations.

Proposed Fix

I have implemented a fix to filter the sensitive attribute:

diff --git a/config/application.rb b/config/application.rb
index 953fd7616..49dc5e2f7 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -66,7 +66,7 @@ module RedmineApp
     config.encoding = "utf-8" 

     # Configure sensitive parameters which will be filtered from the log file.
-    config.filter_parameters += [:password]
+    config.filter_parameters += [:password, :twofa_totp_key]

     config.action_mailer.perform_deliveries = false

Additional Notes

It may be worth reviewing other sensitive fields to ensure they are consistently filtered across all logging outputs.

No data to display

Actions
Copy link

Also available in: Atom PDF