Secrets in redis.conf are exposed when exporting config metrics

[mkoser]

Describe the problem
Secret values like masterauth / requirepass are included in redis_config_key_value metrics when exporting config metrics.

What version of redis_exporter are you running?
v1.35.0

Running the exporter

/usr/local/bin/redis_exporter

## ENV
REDIS_ADDR="redis://localhost:6379"
REDIS_EXPORTER_EXPORT_CLIENT_LIST=true
REDIS_EXPORTER_INCL_CONFIG_METRICS=true
REDIS_EXPORTER_INCL_SYSTEM_METRICS=true
REDIS_EXPORTER_IS_CLUSTER=true
REDIS_EXPORTER_PING_ON_CONNECT=true
REDIS_EXPORTER_REDIS_ONLY_METRICS=true
REDIS_EXPORTER_WEB_LISTEN_ADDRESS=":9101"
REDIS_PASSWORD=******

Expected behavior
masterauth / requirepass values are excluded or obfuscated in the metric.

Screenshots

Additional context

[oliver006]

Oh fun, that's not good. I'll add something to suppress those metrics.
I'll definitely skip masterauth and requirepass, do you have a list of other metrics to exclude?

[oliver006]

Released as v1.35.1

[mkoser]

Oh fun, that's not good. I'll add something to suppress those metrics. I'll definitely skip masterauth and requirepass, do you have a list of other metrics to exclude?

That should be it since other auth methods have been moved to the ACL subsystem and won't show in config (besides the path to the file where they exist. Since passwords are hashed even the file path shouldn't pose a large security risk.)

Thanks for the quick turn-around!