Summary
Credentials { email, password } derives #[derive(Debug)], causing the plaintext password to appear in any log output, panic backtrace, or error chain that formats this type.
Location
- File:
src/core/auth.rs
- Line(s): 9–13, 42–47
Severity
High
Details
Any code path that formats Credentials or AuthMethod::Credentials(...) with {:?} or {:#?} — including Rust's default panic handler and anyhow/thiserror error chains — will print the plaintext password. This includes future log statements, debug output, and crash reports.
Suggested Fix
Implement a manual Debug that redacts the password:
impl fmt::Debug for Credentials {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("Credentials")
.field("email", &self.email)
.field("password", &"[REDACTED]")
.finish()
}
}Do the same for AuthMethod. Consider making password a non-pub field.
Automated finding by repo-monitor
Summary
Credentials { email, password }derives#[derive(Debug)], causing the plaintext password to appear in any log output, panic backtrace, or error chain that formats this type.Location
src/core/auth.rsSeverity
High
Details
Any code path that formats
CredentialsorAuthMethod::Credentials(...)with{:?}or{:#?}— including Rust's default panic handler andanyhow/thiserrorerror chains — will print the plaintext password. This includes future log statements, debug output, and crash reports.Suggested Fix
Implement a manual
Debugthat redacts the password:Do the same for
AuthMethod. Consider makingpassworda non-pubfield.Automated finding by repo-monitor