Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: remove db password from logs #89

Merged
merged 5 commits into from
Feb 6, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [5.0.6] - 2024-01-25

- Fixes the issue where passwords were inadvertently logged in the logs.

## [5.0.5] - 2023-12-06

- Validates db config types in `canBeUsed` function
Expand Down
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ plugins {
id 'java-library'
}

version = "5.0.5"
version = "5.0.6"

repositories {
mavenCentral()
Expand Down
14 changes: 11 additions & 3 deletions src/main/java/io/supertokens/storage/mysql/config/MySQLConfig.java
Original file line number Diff line number Diff line change
Expand Up @@ -509,10 +509,18 @@ public String getConnectionPoolId() {
StringBuilder connectionPoolId = new StringBuilder();
for (Field field : MySQLConfig.class.getDeclaredFields()) {
if (field.isAnnotationPresent(ConnectionPoolProperty.class)) {
connectionPoolId.append("|");
try {
if (field.get(this) != null) {
connectionPoolId.append(field.get(this).toString());
String fieldName = field.getName();
String fieldValue = field.get(this) != null ? field.get(this).toString() : null;
if(fieldValue == null) {
continue;
}
// To ensure a unique connectionPoolId we include the database password and use the "|db_pass|" identifier.
// This facilitates easy removal of the password from logs when necessary.
if (fieldName.equals("mysql_password")) {
connectionPoolId.append("|db_pass|" + fieldValue + "|db_pass");
} else {
connectionPoolId.append("|" + fieldValue);
}
} catch (IllegalAccessException e) {
throw new RuntimeException(e);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

class CustomLayout extends LayoutBase<ILoggingEvent> {

Expand All @@ -35,6 +37,21 @@ class CustomLayout extends LayoutBase<ILoggingEvent> {
this.processID = processID;
}

public static String maskDBPassword(String log) {
String regex = "(\\|db_pass\\|)(.*?)(\\|db_pass\\|)";

Matcher matcher = Pattern.compile(regex).matcher(log);
StringBuffer maskedLog = new StringBuffer();

while (matcher.find()) {
String maskedPassword = "*".repeat(8);
matcher.appendReplacement(maskedLog, "|" + maskedPassword + "|");
}

matcher.appendTail(maskedLog);
return maskedLog.toString();
}

@Override
public String doLayout(ILoggingEvent event) {
StringBuilder sbuf = new StringBuilder();
Expand All @@ -58,7 +75,7 @@ public String doLayout(ILoggingEvent event) {
sbuf.append(event.getCallerData()[1]);
sbuf.append(" | ");

sbuf.append(event.getFormattedMessage());
sbuf.append(maskDBPassword(event.getFormattedMessage()));
sbuf.append(CoreConstants.LINE_SEPARATOR);
sbuf.append(CoreConstants.LINE_SEPARATOR);

Expand Down
43 changes: 43 additions & 0 deletions src/test/java/io/supertokens/storage/mysql/test/LoggingTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,49 @@ public void confirmHikariLoggerClosedOnlyWhenProcessEnds() throws Exception {
assertFalse(hikariLogger.iteratorForAppenders().hasNext());
}

@Test
public void testDBPasswordMasking() throws Exception {
StorageLayer.close();
String[] args = { "../" };
TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);

assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));

File infoLog = new File(Config.getConfig(process.getProcess()).getInfoLogPath(process.getProcess()));
File errorLog = new File(Config.getConfig(process.getProcess()).getErrorLogPath(process.getProcess()));

Logging.error((Start) StorageLayer.getStorage(process.getProcess()), "ERROR LOG: |db_pass|password|db_pass|", false);
Logging.info((Start) StorageLayer.getStorage(process.getProcess()), "INFO LOG: |db_pass|password|db_pass|", true);

boolean dbPasswordMaskedInInfoLog = false;
boolean dbPasswordMaskedInErrorLog = false;

try (Scanner scanner = new Scanner(infoLog, StandardCharsets.UTF_8)) {
while (scanner.hasNextLine()) {
String line = scanner.nextLine();
if(line.contains("INFO LOG") && line.contains("INFO LOG: |********|")) {
dbPasswordMaskedInInfoLog = true;
break;
}
}
}

try (Scanner errorScanner = new Scanner(errorLog, StandardCharsets.UTF_8)) {
while (errorScanner.hasNextLine()) {
String line = errorScanner.nextLine();
if(line.contains("ERROR LOG") && line.contains("ERROR LOG: |********|")) {
dbPasswordMaskedInErrorLog = true;
break;
}
}
}

assertTrue(dbPasswordMaskedInInfoLog && dbPasswordMaskedInErrorLog);
process.kill();

assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
}

private static int countAppenders(ch.qos.logback.classic.Logger logger) {
int count = 0;
Iterator<Appender<ILoggingEvent>> appenderIter = logger.iteratorForAppenders();
Expand Down
Loading