Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: remove db password from logs #89

Merged
merged 5 commits into from
Feb 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [5.0.6] - 2024-01-25

- Fixes the issue where passwords were inadvertently logged in the logs.

## [5.0.5] - 2023-12-06

- Validates db config types in `canBeUsed` function
Expand Down
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ plugins {
id 'java-library'
}

version = "5.0.5"
version = "5.0.6"

repositories {
mavenCentral()
Expand Down
14 changes: 11 additions & 3 deletions src/main/java/io/supertokens/storage/mysql/config/MySQLConfig.java
Original file line number Diff line number Diff line change
Expand Up @@ -509,10 +509,18 @@ public String getConnectionPoolId() {
StringBuilder connectionPoolId = new StringBuilder();
for (Field field : MySQLConfig.class.getDeclaredFields()) {
if (field.isAnnotationPresent(ConnectionPoolProperty.class)) {
connectionPoolId.append("|");
try {
if (field.get(this) != null) {
connectionPoolId.append(field.get(this).toString());
String fieldName = field.getName();
String fieldValue = field.get(this) != null ? field.get(this).toString() : null;
if(fieldValue == null) {
continue;
}
// To ensure a unique connectionPoolId we include the database password and use the "|db_pass|" identifier.
// This facilitates easy removal of the password from logs when necessary.
if (fieldName.equals("mysql_password")) {
connectionPoolId.append("|db_pass|" + fieldValue + "|db_pass");
} else {
connectionPoolId.append("|" + fieldValue);
}
} catch (IllegalAccessException e) {
throw new RuntimeException(e);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
import ch.qos.logback.classic.spi.ILoggingEvent;
import ch.qos.logback.core.CoreConstants;
import ch.qos.logback.core.LayoutBase;
import io.supertokens.storage.mysql.Start;
import io.supertokens.storage.mysql.utils.Utils;

import java.text.DateFormat;
import java.text.SimpleDateFormat;
Expand Down Expand Up @@ -58,7 +58,7 @@ public String doLayout(ILoggingEvent event) {
sbuf.append(event.getCallerData()[1]);
sbuf.append(" | ");

sbuf.append(event.getFormattedMessage());
sbuf.append(Utils.maskDBPassword(event.getFormattedMessage()));
sbuf.append(CoreConstants.LINE_SEPARATOR);
sbuf.append(CoreConstants.LINE_SEPARATOR);

Expand Down
11 changes: 6 additions & 5 deletions src/main/java/io/supertokens/storage/mysql/output/Logging.java
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,10 @@ public class Logging extends ResourceDistributor.SingletonResource {

private Logging(Start start, String infoLogPath, String errorLogPath) {
this.infoLogger = infoLogPath.equals("null")
? createLoggerForConsole(start, "io.supertokens.storage.mysql.Info")
? createLoggerForConsole(start, "io.supertokens.storage.mysql.Info", LOG_LEVEL.INFO)
: createLoggerForFile(start, infoLogPath, "io.supertokens.storage.mysql.Info");
this.errorLogger = errorLogPath.equals("null")
? createLoggerForConsole(start, "io.supertokens.storage.mysql.Error")
? createLoggerForConsole(start, "io.supertokens.storage.mysql.Error", LOG_LEVEL.ERROR)
: createLoggerForFile(start, errorLogPath, "io.supertokens.storage.mysql.Error");
}

Expand Down Expand Up @@ -154,12 +154,12 @@ public static void error(Start start, String message, boolean toConsoleAsWell, E

private static void systemOut(String msg) {
if (!Start.silent) {
System.out.println(msg);
System.out.println(Utils.maskDBPassword(msg));
}
}

private static void systemErr(String err) {
System.err.println(err);
System.err.println(Utils.maskDBPassword(err));
}

public static void stopLogging(Start start) {
Expand Down Expand Up @@ -198,7 +198,7 @@ private Logger createLoggerForFile(Start start, String file, String name) {
return logger;
}

private Logger createLoggerForConsole(Start start, String name) {
private Logger createLoggerForConsole(Start start, String name, LOG_LEVEL logLevel) {
Logger logger = (Logger) LoggerFactory.getLogger(name);

// We don't need to add appender if it is already added
Expand All @@ -211,6 +211,7 @@ private Logger createLoggerForConsole(Start start, String name) {
ple.setContext(lc);
ple.start();
ConsoleAppender<ILoggingEvent> logConsoleAppender = new ConsoleAppender<>();
logConsoleAppender.setTarget(logLevel == LOG_LEVEL.ERROR ? "System.err" : "System.out");
logConsoleAppender.setEncoder(ple);
logConsoleAppender.setContext(lc);
logConsoleAppender.start();
Expand Down
17 changes: 17 additions & 0 deletions src/main/java/io/supertokens/storage/mysql/utils/Utils.java
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@

import java.io.ByteArrayOutputStream;
import java.io.PrintStream;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class Utils {
public static String exceptionStacktraceToString(Exception e) {
Expand All @@ -39,4 +41,19 @@ public static String generateCommaSeperatedQuestionMarks(int size) {
}
return builder.toString();
}

public static String maskDBPassword(String log) {
String regex = "(\\|db_pass\\|)(.*?)(\\|db_pass\\|)";

Matcher matcher = Pattern.compile(regex).matcher(log);
StringBuffer maskedLog = new StringBuffer();

while (matcher.find()) {
String maskedPassword = "*".repeat(8);
matcher.appendReplacement(maskedLog, "|" + maskedPassword + "|");
}

matcher.appendTail(maskedLog);
return maskedLog.toString();
}
}
Loading
Loading