From issues-return-69873-archive-asf-public=cust-asf.ponee.io@commons.apache.org Wed Sep 26 08:50:07 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 15560180629 for ; Wed, 26 Sep 2018 08:50:04 +0200 (CEST) Received: (qmail 61019 invoked by uid 500); 26 Sep 2018 06:50:04 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 61008 invoked by uid 99); 26 Sep 2018 06:50:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Sep 2018 06:50:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 9F7BF1812C0 for ; Wed, 26 Sep 2018 06:50:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -110.301 X-Spam-Level: X-Spam-Status: No, score=-110.301 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id aPzhugAB9aIg for ; Wed, 26 Sep 2018 06:50:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 917C25F542 for ; Wed, 26 Sep 2018 06:50:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id C3BD4E111B for ; Wed, 26 Sep 2018 06:50:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 4D71123FA2 for ; Wed, 26 Sep 2018 06:50:00 +0000 (UTC) Date: Wed, 26 Sep 2018 06:50:00 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: issues@commons.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (LANG-1400) StringUtils: Add method for masking strings MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/LANG-1400?page=3Dcom.atlassian.= jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D16628= 314#comment-16628314 ]=20 ASF GitHub Bot commented on LANG-1400: -------------------------------------- Github user aaabramov commented on the issue: https://github.com/apache/commons-lang/pull/335 =20 > Sounds reasonable in the same time it will not always obviously which= minMasked to use. > For example already mentioned credit card numbers in fact can have va= rying length as I remember up to 24 digits. > As I understood I created this function for specific case which you h= ad. Can you provide some examples from real life when minMasked was needed? =20 FYI, card numbers can vary from 13 to 19 digits. PCI DSS allows to log = PANs mask in such way: Here is proper maskifying Scala code: ``` val START_SYMBOLS =3D 6 val END_SYMBOLS =3D 4 val TOTAL_SYMBOLS: Int =3D START_SYMBOLS + END_SYMBOLS =20 private def stars(count: Int): String =3D "*" * count =20 def maskify(number): String =3D if (number.length <=3D 6) { number } else { val maskLength =3D (number.length - TOTAL_SYMBOLS).max(0) val numberFromEnd =3D maskLength + START_SYMBOLS number.substring(0, 6) + stars(maskLength) + number.substring(n= umberFromEnd) } ``` =20 As a result: ``` 4242424242424242 ~> 424242******4242 424242424242424242 ~>424242********4242 ``` > StringUtils: Add method for masking strings > ------------------------------------------- > > Key: LANG-1400 > URL: https://issues.apache.org/jira/browse/LANG-1400 > Project: Commons Lang > Issue Type: Improvement > Components: lang.* > Reporter: Sergey Ponomarev > Priority: Minor > > It would be great to have a function which allows to mask the original st= r by replacing it's > characters with the specified character-mask. For eaxmple to mask credit = card: > {code} > mask("3566002020360505", 4, 4, '*') =3D "3566********0505" > {code} > Thus the number was hidden by asterisks while first and last four digits = are unmasked and seen. > Common use case is to hide sensitive information from logs, by using it i= n toString() of classes or in inputs to log calls. > I think this is "must have" functionality for Commons Lang library becaus= e from my experience in almost all bit projects what I saw was their home g= rown masking function. > I think this is very important also because this is required for masking = credit card numbers by PCI compliance. Also new GDPR rules requires to hide= personal info as much as possible so masking of First and Last names now i= s required by laws. > To make the world safer place the utility for masking should be already e= xisting in platform to avoid situations when developer think "this is bett= er to mask but I don't have enough time now so let's do this latter" until = leak happens. > IMHO this should be implemented even in `String` class itself. > From my experience what I saw was usually few masking usages and styles: > 1. masking of passwords and names: only first and last symbols are shown,= mask char is `*` > 2. masking of credit cards: only first and last 4 or 6 symbols are shown,= mask char is `*`. > 3. credit card number shortest masking of last symbols i.e. `mask("424242= 4242424242") =3D=3D " *4242"` but it's not so often used, I just wanted to = mention. > 4. not masking but showing a length just so see that value was passed. Th= is can be easily achieved by usual `String.legth()` method. > There is already some pull request [https://github.com/apache/commons-lan= g/pull/332] but I decided to create the ticket because we also need to supp= ort masking for ToStringBuilder and I would like to propose [PR with my own= implementation of mask() function|https://github.com/apache/commons-lang/p= ull/335]. > If you accept my PR then I'll send another one with a new annotation @ToS= tringMasked in accordance to [@ToStringExclude|https://commons.apache.org/p= roper/commons-lang/apidocs/org/apache/commons/lang3/builder/ToStringExclude= .html] which will mark that fields should be masked. Possible usage I see l= ike: > {code} > @ToStringMasked(unmaskedStart =3D 4, unmaskedEnd =3D 4)=20 > String creditCardNumber; > @ToStringMasked(unmaskedStart =3D 1, unmaskedEnd =3D 1)=20 > String password; > {code} > =C2=A0 -- This message was sent by Atlassian JIRA (v7.6.3#76005)