From 9cbbb5cb84c8e4a1d07ff0be4776306cb4bc852d Mon Sep 17 00:00:00 2001
From: Benjamin Bertrand <benjamin.bertrand@esss.se>
Date: Fri, 5 Jan 2018 09:31:36 +0100
Subject: [PATCH] Remove passwords when displaying settings

---
 app/factory.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/factory.py b/app/factory.py
index 9d92c2c..1bdfe49 100644
--- a/app/factory.py
+++ b/app/factory.py
@@ -83,9 +83,14 @@ def create_app(config=None):
         handler.setLevel(logging.DEBUG)
         app.logger.addHandler(handler)
     app.logger.info('CSEntry created!')
-    app.logger.info('Settings:\n{}'.format(
-        '\n'.join(['{}: {}'.format(key, value) for key, value in app.config.items()
-                   if key not in ('SECRET_KEY', 'LDAP_BIND_USER_PASSWORD')])))
+    # Remove variables that contain a password
+    settings_to_display = [f'{key}: {value}' for key, value in app.config.items()
+                           if key not in ('SECRET_KEY', 'LDAP_BIND_USER_PASSWORD',
+                                          'MAIL_CREDENTIALS', 'SQLALCHEMY_DATABASE_URI')]
+    # The repr() of make_url hides the password
+    settings_to_display.append(f'SQLALCHEMY_DATABASE_URI: {sa.engine.url.make_url(app.config["SQLALCHEMY_DATABASE_URI"])!r}')
+    settings_string = '\n'.join(settings_to_display)
+    app.logger.info(f'Settings:\n{settings_string}')
 
     bootstrap.init_app(app)
     db.init_app(app)
-- 
GitLab