cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject [05/26] git commit: updated refs/heads/4.4-forward to 0594598
Date Tue, 22 Apr 2014 08:02:32 GMT
CLOUDSTACK-6287, CLOUDSTACK-6315 : fixed password visible in plain text in some hyperv request
params/json response


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4c413472
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4c413472
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4c413472

Branch: refs/heads/4.4-forward
Commit: 4c4134721dde68f288b9ba273181c5db5fbbc41f
Parents: 2e72742
Author: Anshul Gangwar <anshul.gangwar@citrix.com>
Authored: Wed Apr 9 10:44:13 2014 +0530
Committer: Devdeep Singh <devdeep@gmail.com>
Committed: Fri Apr 18 14:05:19 2014 +0530

----------------------------------------------------------------------
 utils/src/com/cloud/utils/StringUtils.java | 32 +++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4c413472/utils/src/com/cloud/utils/StringUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/StringUtils.java b/utils/src/com/cloud/utils/StringUtils.java
index 1600488..09045aa 100644
--- a/utils/src/com/cloud/utils/StringUtils.java
+++ b/utils/src/com/cloud/utils/StringUtils.java
@@ -20,11 +20,11 @@
 package com.cloud.utils;
 
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
-import java.util.HashMap;
 import java.util.Map;
-
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import org.owasp.esapi.StringUtilities;
@@ -159,10 +159,16 @@ public class StringUtils {
     }
 
     // removes a password request param and it's value, also considering password is in query
parameter value which has been url encoded
-    private static final Pattern REGEX_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)?(password|accesskey|secretkey)(=|%3D).*?(?=(%26|[&'\"]))");
+    private static final Pattern REGEX_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)?((p|P)assword|accesskey|secretkey)(=|%3D).*?(?=(%26|[&'\"]))");
 
     // removes a password/accesskey/ property from a response json object
-    private static final Pattern REGEX_PASSWORD_JSON = Pattern.compile("\"(password|accesskey|secretkey)\":\".*?\",?");
+    private static final Pattern REGEX_PASSWORD_JSON = Pattern.compile("\"((p|P)assword|accesskey|secretkey)\":\\s?\".*?\",?");
+
+    private static final Pattern REGEX_PASSWORD_DETAILS = Pattern.compile("(&|%26)?details(\\[|%5B)\\d*(\\]|%5D)\\.key(=|%3D)((p|P)assword|accesskey|secretkey)(?=(%26|[&'\"]))");
+
+    private static final Pattern REGEX_PASSWORD_DETAILS_INDEX = Pattern.compile("details(\\[|%5B)\\d*(\\]|%5D)");
+
+    private static final Pattern REGEX_REDUNDANT_AND = Pattern.compile("(&|%26)(&|%26)+");
 
     // Responsible for stripping sensitive content from request and response strings
     public static String cleanString(String stringToClean) {
@@ -170,7 +176,25 @@ public class StringUtils {
         if (stringToClean != null) {
             cleanResult = REGEX_PASSWORD_QUERYSTRING.matcher(stringToClean).replaceAll("");
             cleanResult = REGEX_PASSWORD_JSON.matcher(cleanResult).replaceAll("");
+            Matcher detailsMatcher = REGEX_PASSWORD_DETAILS.matcher(cleanResult);
+            while (detailsMatcher.find()) {
+                Matcher detailsIndexMatcher = REGEX_PASSWORD_DETAILS_INDEX.matcher(detailsMatcher.group());
+                if (detailsIndexMatcher.find()) {
+                    cleanResult = cleanDetails(cleanResult, detailsIndexMatcher.group());
+                }
+            }
+        }
+        return cleanResult;
+    }
+
+    public static String cleanDetails(String stringToClean, String detailsIndexSting) {
+        String cleanResult = stringToClean;
+        for (String log : stringToClean.split("&|%26")) {
+            if (log.contains(detailsIndexSting)) {
+                cleanResult = cleanResult.replace(log, "");
+            }
         }
+        cleanResult = REGEX_REDUNDANT_AND.matcher(cleanResult).replaceAll("&");
         return cleanResult;
     }
 


Mime
View raw message