-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
do not render env variables in configs #771
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, do we need to change the code in spec too?
Can we add a simple unit test for this? |
I can modify the code to make it easier to test. |
@mdedetrich it looks like the only real way to test this is to set an environment variable. I don't think I can set this in a test itself. I think I would need to set the env variable before calling sbt. I could change one or more of our CI jobs to set a test env var and use it in the test. I can get the test to pass if someone hasn't set this env variable so that we don't make it more complicated for people to run the tests manually. |
If it requires too much work we can skip it I guess, its just usually better to have a test for these kinds of things. Isn't |
I can play around with |
@mdedetrich It looks like sys env is read only - likewise with |
@pjfanning Okay, just ping me when the PR is ready. If its not possible to test then I would just go with the initial implementation (iirc it was simpler) |
f227a3b
to
ce3c842
Compare
@mdedetrich I've kept the centralised method for rendering with redactions. My code does an additional redaction of the username and may in future do more. The toString of the config is very large and I wouldn't be surprised if we need to do more changes in future. |
Thanks ill check it out tomorrow |
b0a878c
to
d32f3c3
Compare
d32f3c3
to
cbd7cec
Compare
@mdedetrich would you have time to look at this again? I'm hoping to do a v1.0.2 release within the next few weeks. |
actor-tests/src/test/scala/org/apache/pekko/actor/ActorSystemSpec.scala
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nit but otherwise lgtm
* do not render env variables in configs * redact username when logging configs * Update ActorSystemSpec.scala * add test scalafmt * try/finally
see lightbend/config#798
The Akka team issued CVE-2023-45865 for the equivalent of our change but the general consensus on Pekko side is that printing the configs to the logs is not the default behaviour. It is useful to make a change but we don't think this warrants a CVE.
We strongly recommend that
log-config-on-start
is not enabled in production environments.