Redis [SECURITY] Redis password in Sentinel log

Hello Team, If I use the redis-cli/Jedis for configuring Sentinel to monitor password protected Redis shard, it prints the shard password in the sentinel log, I vaguely remember seeing an existing Issue on this topic, but somehow am having trouble finding it now, wonder if that's resolved in latest version of Redis ? please suggest thanks!

Redis CLI:

127.0.0.1:17379> sentinel set shard_1 auth-pass THIS_IS_PASSWORD  
OK

Sentinel log: 22720:X 05 Oct 2021 12:43:16.248 # +set master shard_1 127.0.0.1 6379 auth-pass THIS_IS_PASSWORD

Comment From: huangzhw

The latest version had not resolve it.

Comment From: hwware

@yossigo for this problem, I have 2 candidate solutions: first is that we only display the log "+set master shard_1 127.0.0.1 6379 auth-pass" in the log, thus user know the pass was changed, the second solution is that we could add several masks in the log like "+set master shard_1 127.0.0.1 6379 auth-pass *". How do you think the solution or you have better idea? Thanks

Comment From: yossigo

@hwware I prefer the 2nd option of indicating there's a masked / redacted password in there. Perhaps this is a good opportunity to identify other potential leaks of secrets to the log?

Comment From: hwware

@hwware I prefer the 2nd option of indicating there's a masked / redacted password in there. Perhaps this is a good opportunity to identify other potential leaks of secrets to the log?

Thanks,Yossi. I will create a PR for this issue.

Comment From: hwware

@satheeshaGowda Please check the PR https://github.com/redis/redis/pull/9652, it is related to this issue.

Comment From: yossigo

Fixed by #9652

Comment From: atomicules

Will this be backported to 6.2.x? Or would a PR be accepted backporting this to 6.2?

Comment From: hwware

@oranagra @yossigo @moticless Can we consider add this fix to 6.2 version? Thanks. The PR is https://github.com/redis/redis/pull/9652