fix(demo_build): redact $mrp before writing to $LOG (closes #155)#160
fix(demo_build): redact $mrp before writing to $LOG (closes #155)#160bradymiller wants to merge 1 commit into
Conversation
$LOG is `/var/www/localhost/htdocs/log/logSetup.txt` inside the demo container, exposed at <cluster>.openemr.io/log/logSetup.txt per the header comment near L226. Writing $mrp verbatim persists the mariadb root password to a publicly-fetchable URL. Current real-world risk is low -- $mrp is literally "hey" for every production row, matching MYSQL_ROOT_PASSWORD in docker/scripts/demoLibrary.source -- but the pattern is a credential- disclosure shape. If anyone ever sets a per-cluster password to a real secret, this defends without needing to remember to redact. Fix: log presence/emptiness only, not the value: if [ -n "$mrp" ]; then _mrp_disp="<REDACTED>"; else _mrp_disp="<empty>"; fi echo "$_mrp_disp" echo "$_mrp_disp" >> "$LOG" unset _mrp_disp Both the console echo (previously "$mrp") and the persistent log write are covered. Related follow-up: openemr#158 (same class of pattern in demoLibrary.source's mysqladmin cmdline -- separate issue since it's a different code path). Closes openemr#155. Assisted-by: Claude Code
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughdemo_build.sh no longer echoes the raw MariaDB password to stdout or the log file. It now conditionally displays <REDACTED> when the password variable is set or <empty> when unset, writing this marker instead, then clears the temporary variable. ChangesPassword redaction in demo_build.sh
Estimated code review effort: 1 (Trivial) | ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@coderabbitai help |
ChatThere are 3 ways to chat with CodeRabbit:
CodeRabbit commands
Other keywords and placeholders
Status, support, documentation and community
|
|
@coderabbitai review |
✅ Action performedReview finished.
|
Closes #155. Redact mariadb root password value in $LOG rather than logging it verbatim. Console echo also redacted for consistency.
Defense-in-depth — current $mrp value is
heyfor every production row (matching the documentedMYSQL_ROOT_PASSWORDindemoLibrary.source), so no actual secret is disclosed today. But $LOG is exposed at<cluster>.openemr.io/log/logSetup.txtper the header comment near L226, so the pattern is a publicly-fetchable credential leak if anyone ever sets a real password.Related: #158 (same class of anti-pattern in
demoLibrary.source's mysqladmin cmdline — separate issue, separate PR).Test plan
bash -ncleanshellcheckclean./tools/build-tests/test.sh— 7/7 PASS🤖 Generated with Claude Code