Skip to content

fix: remove cleartext password logging for security compliance#51

Merged
acockrell merged 1 commit intomainfrom
fix/remove-password-logging
Mar 9, 2026
Merged

fix: remove cleartext password logging for security compliance#51
acockrell merged 1 commit intomainfrom
fix/remove-password-logging

Conversation

@acockrell
Copy link
Copy Markdown
Collaborator

@acockrell acockrell commented Mar 9, 2026

Summary

Removes cleartext password logging from user creation output to comply with gosec v2.24.7 security requirements.

Problem

PR #48 (gosec upgrade to v2.24.7) is failing because the newer version detects cleartext password logging:

  • Location: cmd/user-create.go:169
  • Rule: G705 (go/clear-text-logging)
  • Severity: Error
  • Code: fmt.Printf(EMAIL, user.PrimaryEmail, user.Password, user.PrimaryEmail)

Additionally, gosec v2.24.7 introduced a new rule G117 that flags OAuth2 token serialization in cmd/client.go:362.

Solution

Password Logging Fix

  • ✅ Removed password from EMAIL template
  • ✅ Updated fmt.Printf to omit password parameter
  • ✅ Added security note explaining password not displayed
  • ✅ Fixed integration test to not print sensitive data
  • ✅ Updated documentation

OAuth2 Token Caching

  • ✅ Added #nosec G117 comment for legitimate OAuth2 token caching
  • ✅ Token file has proper 0600 permissions
  • ✅ Path validation prevents directory traversal

Testing

make check

Results:

  • ✅ Formatting: Passed
  • ✅ Go vet: Passed
  • ✅ Linting: 0 issues
  • Security scan (gosec 2.24.7): 0 issues 🎉
  • ✅ All tests: Passed (133/133)
  • ✅ Pre-commit hooks: Passed

Security Improvements

  • Eliminates cleartext password logging - Passwords never displayed in stdout
  • Proper OAuth2 handling - Token caching has appropriate security exception
  • No breaking changes - Flag-based path already doesn't output passwords
  • User security - Password still generated and set; users required to change on first login

Files Modified

  • cmd/user-create.go - Removed password from output template and calls
  • cmd/integration_test.go - Updated test to use non-sensitive data
  • cmd/client.go - Added nosec comment for OAuth2 token caching

Related

Next Steps

After this PR is merged, PR #48 should be rebased to pick up these security fixes, allowing the gosec upgrade to pass all checks.

@acockrell
fix: remove cleartext password logging for security compliance
5613013 
Remove password from user creation output to comply with gosec
security scan requirements. This fixes the cleartext logging warnings
that were blocking the gosec v2.24.7 upgrade (PR #48).

Changes:
- Remove "Password: %s" from EMAIL template in user-create.go
- Update fmt.Printf to omit password parameter
- Add security note to output explaining password not displayed
- Update integration test to not print sensitive data
- Update documentation to reflect password is not output
- Add nosec comment for legitimate OAuth2 token caching in client.go

The password is still generated and set correctly, but is no longer
displayed to stdout for security reasons. Users must change password
on first login as enforced by ChangePasswordAtNextLogin flag.

Security improvements:
- Fixes gosec cleartext logging warning
- Adds proper OAuth2 token caching exception
- All security scans now pass (gosec 2.24.7: 0 issues)
@acockrell acockrell merged commit 7022f88 into main Mar 9, 2026
8 checks passed
@acockrell acockrell deleted the fix/remove-password-logging branch March 9, 2026 05:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@acockrell