mirror of https://github.com/0xERR0R/blocky.git
fix: obfuscate secrets using a constant length string
This commit is contained in:
parent
2c6b704433
commit
1edf8cc355
|
@ -27,6 +27,8 @@ const (
|
||||||
udpPort = 53
|
udpPort = 53
|
||||||
tlsPort = 853
|
tlsPort = 853
|
||||||
httpsPort = 443
|
httpsPort = 443
|
||||||
|
|
||||||
|
secretObfuscator = "********"
|
||||||
)
|
)
|
||||||
|
|
||||||
type Configurable interface {
|
type Configurable interface {
|
||||||
|
|
|
@ -57,14 +57,10 @@ func (c *QueryLog) censoredTarget() string {
|
||||||
return c.Target
|
return c.Target
|
||||||
}
|
}
|
||||||
|
|
||||||
if target.User == nil {
|
pass, ok := target.User.Password()
|
||||||
|
if !ok {
|
||||||
return c.Target
|
return c.Target
|
||||||
}
|
}
|
||||||
|
|
||||||
// Drop the password since special chars like * get URL escaped
|
return strings.ReplaceAll(c.Target, pass, secretObfuscator)
|
||||||
if pass, hasPass :=target.User.Password(); hasPass {
|
|
||||||
return strings.Replace(target.String(), pass, strings.Repeat("*", len(pass)), 1)
|
|
||||||
}
|
|
||||||
|
|
||||||
return target.String()
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -56,7 +56,7 @@ var _ = Describe("QueryLogConfig", func() {
|
||||||
Expect(hook.Messages).Should(ContainElement(ContainSubstring("logRetentionDays:")))
|
Expect(hook.Messages).Should(ContainElement(ContainSubstring("logRetentionDays:")))
|
||||||
})
|
})
|
||||||
|
|
||||||
DescribeTable("doesn't print the target password", func(target string) {
|
DescribeTable("secret censoring", func(target string) {
|
||||||
cfg.Type = QueryLogTypeMysql
|
cfg.Type = QueryLogTypeMysql
|
||||||
cfg.Target = target
|
cfg.Target = target
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
package config
|
package config
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -32,7 +30,7 @@ func (c *Redis) LogConfig(logger *logrus.Entry) {
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.Info("username: ", c.Username)
|
logger.Info("username: ", c.Username)
|
||||||
logger.Info("password: ", obfuscatePassword(c.Password))
|
logger.Info("password: ", secretObfuscator)
|
||||||
logger.Info("database: ", c.Database)
|
logger.Info("database: ", c.Database)
|
||||||
logger.Info("required: ", c.Required)
|
logger.Info("required: ", c.Required)
|
||||||
logger.Info("connectionAttempts: ", c.ConnectionAttempts)
|
logger.Info("connectionAttempts: ", c.ConnectionAttempts)
|
||||||
|
@ -42,7 +40,7 @@ func (c *Redis) LogConfig(logger *logrus.Entry) {
|
||||||
logger.Info("sentinel:")
|
logger.Info("sentinel:")
|
||||||
logger.Info(" master: ", c.Address)
|
logger.Info(" master: ", c.Address)
|
||||||
logger.Info(" username: ", c.SentinelUsername)
|
logger.Info(" username: ", c.SentinelUsername)
|
||||||
logger.Info(" password: ", obfuscatePassword(c.SentinelPassword))
|
logger.Info(" password: ", secretObfuscator)
|
||||||
logger.Info(" addresses:")
|
logger.Info(" addresses:")
|
||||||
|
|
||||||
for _, addr := range c.SentinelAddresses {
|
for _, addr := range c.SentinelAddresses {
|
||||||
|
@ -50,8 +48,3 @@ func (c *Redis) LogConfig(logger *logrus.Entry) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// obfuscatePassword replaces all characters of a password except the first and last with *
|
|
||||||
func obfuscatePassword(pass string) string {
|
|
||||||
return strings.Repeat("*", len(pass))
|
|
||||||
}
|
|
||||||
|
|
|
@ -86,19 +86,23 @@ var _ = Describe("Redis", func() {
|
||||||
ContainElement(ContainSubstring(" - localhost:26380"))))
|
ContainElement(ContainSubstring(" - localhost:26380"))))
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
})
|
|
||||||
|
|
||||||
Describe("obfuscatePassword", func() {
|
const secretValue = "secret-value"
|
||||||
When("password is empty", func() {
|
|
||||||
It("should return empty string", func() {
|
It("should not log the password", func() {
|
||||||
Expect(obfuscatePassword("")).Should(Equal(""))
|
c.Password = secretValue
|
||||||
})
|
c.LogConfig(logger)
|
||||||
|
|
||||||
|
Expect(hook.Calls).ShouldNot(BeEmpty())
|
||||||
|
Expect(hook.Messages).ShouldNot(ContainElement(ContainSubstring(secretValue)))
|
||||||
})
|
})
|
||||||
|
|
||||||
When("password is not empty", func() {
|
It("should not log the sentinel password", func() {
|
||||||
It("should return obfuscated password", func() {
|
c.SentinelPassword = secretValue
|
||||||
Expect(obfuscatePassword("test123")).Should(Equal("*******"))
|
c.LogConfig(logger)
|
||||||
})
|
|
||||||
|
Expect(hook.Calls).ShouldNot(BeEmpty())
|
||||||
|
Expect(hook.Messages).ShouldNot(ContainElement(ContainSubstring(secretValue)))
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
Loading…
Reference in New Issue