mirror of https://github.com/0xERR0R/blocky.git
fix: obfuscate secrets using a constant length string
This commit is contained in:
parent
2c6b704433
commit
1edf8cc355
|
@ -27,6 +27,8 @@ const (
|
|||
udpPort = 53
|
||||
tlsPort = 853
|
||||
httpsPort = 443
|
||||
|
||||
secretObfuscator = "********"
|
||||
)
|
||||
|
||||
type Configurable interface {
|
||||
|
|
|
@ -57,14 +57,10 @@ func (c *QueryLog) censoredTarget() string {
|
|||
return c.Target
|
||||
}
|
||||
|
||||
if target.User == nil {
|
||||
pass, ok := target.User.Password()
|
||||
if !ok {
|
||||
return c.Target
|
||||
}
|
||||
|
||||
// Drop the password since special chars like * get URL escaped
|
||||
if pass, hasPass :=target.User.Password(); hasPass {
|
||||
return strings.Replace(target.String(), pass, strings.Repeat("*", len(pass)), 1)
|
||||
}
|
||||
|
||||
return target.String()
|
||||
return strings.ReplaceAll(c.Target, pass, secretObfuscator)
|
||||
}
|
||||
|
|
|
@ -56,7 +56,7 @@ var _ = Describe("QueryLogConfig", func() {
|
|||
Expect(hook.Messages).Should(ContainElement(ContainSubstring("logRetentionDays:")))
|
||||
})
|
||||
|
||||
DescribeTable("doesn't print the target password", func(target string) {
|
||||
DescribeTable("secret censoring", func(target string) {
|
||||
cfg.Type = QueryLogTypeMysql
|
||||
cfg.Target = target
|
||||
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
package config
|
||||
|
||||
import (
|
||||
"strings"
|
||||
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
|
@ -32,7 +30,7 @@ func (c *Redis) LogConfig(logger *logrus.Entry) {
|
|||
}
|
||||
|
||||
logger.Info("username: ", c.Username)
|
||||
logger.Info("password: ", obfuscatePassword(c.Password))
|
||||
logger.Info("password: ", secretObfuscator)
|
||||
logger.Info("database: ", c.Database)
|
||||
logger.Info("required: ", c.Required)
|
||||
logger.Info("connectionAttempts: ", c.ConnectionAttempts)
|
||||
|
@ -42,7 +40,7 @@ func (c *Redis) LogConfig(logger *logrus.Entry) {
|
|||
logger.Info("sentinel:")
|
||||
logger.Info(" master: ", c.Address)
|
||||
logger.Info(" username: ", c.SentinelUsername)
|
||||
logger.Info(" password: ", obfuscatePassword(c.SentinelPassword))
|
||||
logger.Info(" password: ", secretObfuscator)
|
||||
logger.Info(" addresses:")
|
||||
|
||||
for _, addr := range c.SentinelAddresses {
|
||||
|
@ -50,8 +48,3 @@ func (c *Redis) LogConfig(logger *logrus.Entry) {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
// obfuscatePassword replaces all characters of a password except the first and last with *
|
||||
func obfuscatePassword(pass string) string {
|
||||
return strings.Repeat("*", len(pass))
|
||||
}
|
||||
|
|
|
@ -86,19 +86,23 @@ var _ = Describe("Redis", func() {
|
|||
ContainElement(ContainSubstring(" - localhost:26380"))))
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
Describe("obfuscatePassword", func() {
|
||||
When("password is empty", func() {
|
||||
It("should return empty string", func() {
|
||||
Expect(obfuscatePassword("")).Should(Equal(""))
|
||||
})
|
||||
const secretValue = "secret-value"
|
||||
|
||||
It("should not log the password", func() {
|
||||
c.Password = secretValue
|
||||
c.LogConfig(logger)
|
||||
|
||||
Expect(hook.Calls).ShouldNot(BeEmpty())
|
||||
Expect(hook.Messages).ShouldNot(ContainElement(ContainSubstring(secretValue)))
|
||||
})
|
||||
|
||||
When("password is not empty", func() {
|
||||
It("should return obfuscated password", func() {
|
||||
Expect(obfuscatePassword("test123")).Should(Equal("*******"))
|
||||
})
|
||||
It("should not log the sentinel password", func() {
|
||||
c.SentinelPassword = secretValue
|
||||
c.LogConfig(logger)
|
||||
|
||||
Expect(hook.Calls).ShouldNot(BeEmpty())
|
||||
Expect(hook.Messages).ShouldNot(ContainElement(ContainSubstring(secretValue)))
|
||||
})
|
||||
})
|
||||
})
|
||||
|
|
Loading…
Reference in New Issue