Skip to content

Authorization token leaks into TRACE logs (full request is logged) #215

Description

@EddieHouston

ConfigBuilder::authorization_provider (added in #194) injects an authorization
member — e.g. "Bearer <jwt>" — into the JSON-RPC request. The raw client logs the
full serialized request at TRACE, so the token is written to the logs in cleartext.

In src/raw_client.rs (0.25.0):

  • ~L798: trace!("==> {}", String::from_utf8_lossy(&raw));
  • ~L954: same, in the batch path.

Repro: any authenticated request with RUST_LOG=electrum_client=trace prints the
"authorization":"Bearer <jwt>" field. This is a credential leak for anyone using
authenticated Electrum proxies.

Suggested fix

Redact the authorization value before logging the request — e.g. log a copy with the
authorization field replaced by "<redacted>" (or omitted) instead of the raw bytes.
The response trace (<== {raw_resp}) is unaffected.

Happy to send a PR (follow-up to #194).

Metadata

Metadata

Labels

bugSomething isn't working

Type

Fields

No fields configured for Bug.

Projects

Status
Todo

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions