DefaultJedisClientConfig password exposure issue

[ivanfrias]

The class DefaultJedisClientConfig overrides the getPassword method that returns a String.
Returning a string might be considered a potential security issue since an attacker might inspect the heap and find the value in plaintext.
Ideally we should just pass-through the value supplied by the provider here and not create a String based on the char[] array.

Expected behavior

Return a char[] instead of String

Actual behavior

A string is returned.

Steps to reproduce:

N/A

Redis / Jedis Configuration

N/A

Jedis version:

N/A

Redis version:

Java version:

N/A

[sazzad16]

String getPassword() is still there to support legacy applications without breaking. We may remove it at some point in favor of getCredentialsProvider().

[sazzad16]

Tagged 6.0.0 just so it stays in front of eyes more.

[wickdynex]

If possible, I would like to take ownership of this issue. In my opinion, I can replace String with char[] and modify the DefaultJedisClientConfig class and DefaultRedisCredentials methods. However, I have three questions:

1. Using char[] instead of String is for easier password clearing. When exactly should we clear the password? Or is it not necessary to clear it?
2. I couldn't find any unit tests for getPassword. Do I need to write a unit test for it to follow TDD development practices?
3. Which branch should I work on?

Looking forward to ur reply.

[sazzad16]

@wickdynex Thank you for your interest.

I would ask you not to work on this specific issue right now. I have already mentioned in my earlier #4021 (comment),

We may remove it (String getPassword()) at some point in favor of getCredentialsProvider().

The concerned users should use RedisCredentials/RedisCredentialsProvider.