fix(authority-claimer): redact mnemonic from logs

cartesi · Jan 25, 2024 · acd98b3 · acd98b3
1 parent ad1178a
commit acd98b3
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -33,6 +33,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Removed concurrent block fetch in foldable `InputBox`.
 - Removed snapshot-saving feature. Now, the node will always start from the beginning.
 
+### Fixed
+
+- Fixed mnemonic leaking through log entries.
+
 ## [1.2.0]
 
 ### Added

diff --git a/offchain/Cargo.lock b/offchain/Cargo.lock
diff --git a/offchain/authority-claimer/Cargo.toml b/offchain/authority-claimer/Cargo.toml
@@ -15,6 +15,7 @@ http-server = { path = "../http-server" }
 log = { path = "../log" }
 rollups-events = { path = "../rollups-events" }
 types = { path = "../types" }
+redacted = { path = "../redacted" }
 
 async-trait.workspace = true
 clap = { workspace = true, features = ["derive", "env"] }

diff --git a/offchain/authority-claimer/src/config/cli.rs b/offchain/authority-claimer/src/config/cli.rs
@@ -7,6 +7,7 @@ use eth_tx_manager::{
     Priority,
 };
 use log::{LogConfig, LogEnvCliConfig};
+use redacted::Redacted;
 use rollups_events::{BrokerCLIConfig, BrokerConfig};
 use rusoto_core::Region;
 use snafu::ResultExt;
@@ -118,7 +119,7 @@ impl TryFrom<TxSigningCLIConfig> for TxSigningConfig {
         let account_index = cli.tx_signing_mnemonic_account_index;
         if let Some(mnemonic) = cli.tx_signing_mnemonic {
             Ok(TxSigningConfig::Mnemonic {
-                mnemonic,
+                mnemonic: Redacted::new(mnemonic),
                 account_index,
             })
         } else if let Some(path) = cli.tx_signing_mnemonic_file {
@@ -127,7 +128,7 @@ impl TryFrom<TxSigningCLIConfig> for TxSigningConfig {
                 .trim()
                 .to_string();
             Ok(TxSigningConfig::Mnemonic {
-                mnemonic,
+                mnemonic: Redacted::new(mnemonic),
                 account_index,
             })
         } else {

diff --git a/offchain/authority-claimer/src/config/mod.rs b/offchain/authority-claimer/src/config/mod.rs
@@ -12,6 +12,7 @@ use cli::AuthorityClaimerCLI;
 use eth_tx_manager::{config::TxManagerConfig, Priority};
 use http_server::HttpServerConfig;
 use log::LogConfig;
+use redacted::Redacted;
 use rollups_events::BrokerConfig;
 use rusoto_core::Region;
 
@@ -35,7 +36,7 @@ pub struct AuthorityClaimerConfig {
 #[derive(Debug, Clone)]
 pub enum TxSigningConfig {
     Mnemonic {
-        mnemonic: String,
+        mnemonic: Redacted<String>,
         account_index: Option<u32>,
     },
 

diff --git a/offchain/authority-claimer/src/signer/signer.rs b/offchain/authority-claimer/src/signer/signer.rs
@@ -50,7 +50,7 @@ impl ConditionalSigner {
                 const DEFAULT_ACCOUNT_INDEX: u32 = 0;
                 let index = account_index.unwrap_or(DEFAULT_ACCOUNT_INDEX);
                 let wallet = MnemonicBuilder::<English>::default()
-                    .phrase(mnemonic.as_str())
+                    .phrase(mnemonic.inner().as_str())
                     .index(index)
                     .context(LocalWalletSnafu)?
                     .build()
@@ -153,6 +153,7 @@ mod tests {
         Address, Eip1559TransactionRequest,
     };
     use ethers_signers::Signer;
+    use redacted::Redacted;
 
     use crate::{config::TxSigningConfig, signer::ConditionalSigner};
 
@@ -191,7 +192,7 @@ mod tests {
 
     async fn local_wallet_conditional_signer() -> ConditionalSigner {
         let tx_signing_config = TxSigningConfig::Mnemonic {
-            mnemonic: MNEMONIC.to_string(),
+            mnemonic: Redacted::new(MNEMONIC.to_string()),
             account_index: Some(1),
         };
         ConditionalSigner::new(CHAIN_ID, &tx_signing_config)