SharedPreferences: don't log full prefs dict#123
Merged
ThomasFarstrike merged 1 commit intoApr 19, 2026
Merged
Conversation
config.py:load() printed `self.data` verbatim every time any app
loaded its preferences:
print(f"load: Loaded preferences from {self.filepath}: {self.data}")
Preferences commonly hold secrets — the built-in WiFi app stores
passwords in access_points; third-party apps store API keys / NWC
secrets / xpubs / etc. — and with the `print` above, every one of
those values was dumped to the serial console / REPL on every
`load()`, which runs on app startup and on every SharedPreferences
instantiation.
Concrete impact discovered during v0.3.0 dev on LightningPiggy/LightningPiggyApp:
a device running the Lightning Piggy app prints its Nostr Wallet
Connect secret (spending auth) and its LNBits readkey (wallet read
auth) to serial on every settings navigation — 9+ times in a
normal session, any one of which being shared with a collaborator
or attached to a bug report would hand over wallet control.
Fix: log only the filepath and key count on successful load. Apps
that want to see specific values in logs can opt in by dereferencing
the keys themselves.
No API change; behaviour-only. All existing tests continue to pass.
bitcoin3us
changed the title
Contributor
|
Noice! |
bitcoin3us
pushed a commit
to bitcoin3us/MicroPythonOS
that referenced
this pull request
Apr 20, 2026
Three print sites in the Settings → Wi-Fi app were leaking the
Wi-Fi password to the serial console / REPL:
1. `edit_network_result_callback` — prints `result` which is
`{'result_code': True, 'data': {'ssid': ..., 'password': ...,
'hidden': ...}}`. Fires every time the user saves the
EditNetwork screen.
2. `start_attempt_connecting` — prints `'... SSID 'X' with
password 'Y''`. Fires on every connection attempt.
3. `gotqr_result_callback` — prints the raw result and the raw
QR data. A Wi-Fi QR code's payload is
`WIFI:T:WPA;S:SSID;P:password;H:...;;` — the password is in
plaintext. Fires every time a Wi-Fi QR is scanned.
Discovered while testing LightningPiggy app's Wi-Fi reconnect
flow on a device: the user's home Wi-Fi password was printed to
serial on every connect retry, and would appear in any shared
debug log or REPL paste. Companion to MicroPythonOS#123 (which
fixed the `SharedPreferences.load()` leak in the same vein).
Fix: redact `password` from the result-dict dump, drop the
password argument from the connect-attempt print, and drop both
the full-result and raw-QR prints from the QR callback (replaced
with a minimal status print).
No API change, no behaviour change — only log output.
This was referenced Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
internal_filesystem/lib/mpos/config.pyhas a pre-existing leak inSharedPreferences.load():Every
load()— which fires on app startup and on everySharedPreferences(...)instantiation — dumps the full prefs dict to the serial console / REPL. Because prefs commonly hold secrets, anyone tailing serial or pasting a log for debugging is exposing those secrets.Concrete impact
Discovered during v0.3.0 development on LightningPiggy/LightningPiggyApp. A single session on a device running the Lightning Piggy app printed:
secret=…param — grants spending authority over an attached Lightning wallet)…to serial at least 9 times across normal navigation (main screen → Settings → Wallet → back). Any user sharing a REPL log to get help with an unrelated bug would hand over wallet control.
Beyond Lightning Piggy, the built-in WiFi app stores AP passwords in the same prefs mechanism under the
access_pointsdict — the example code at the bottom ofconfig.pyitself shows passwords being written ("password": "examplepass1"). Those leak too.Fix
One-line change. Log only the filepath and key count, not the values:
Rationale captured in a code comment next to the change.
Apps that want rich logging of specific keys can still do so themselves by dereferencing — the change only affects the generic framework-level dump.
No behaviour change
CHANGELOG
Added a bullet under the
Frameworks:section of the "Future release" block.Release target
This is a security fix, so I'd suggest merging against main and releasing as part of the next version regardless of its feature scope. Happy to rebase if you'd rather it go into a patch release on the 0.9.x line.
Test plan
./tests/unittest.sh tests/test_shared_preferences.pypassesload: Loaded preferences from …in serial (just without values)SharedPreferences.load didn't find preferences: …as before🤖 Generated with Claude Code