Improve host.json sanitization

release_notes.md

@@ -21,3 +21,4 @@
 - Add new Host to Worker RPC extensibility feature for out-of-proc workers. (https://github.com/Azure/azure-functions-host/pull/9292)
 - Apply capabilities on environment reload (placeholder mode scenarios) (https://github.com/Azure/azure-functions-host/pull/9367)
 - Update PowerShell Worker 7.2 to 4.0.2890 [Release Note](https://github.com/Azure/azure-functions-powershell-worker/releases/tag/v4.0.2890)
+- Improve host.json sanitization

src/WebJobs.Script/Config/HostJsonFileConfigurationSource.cs

@@ -54,6 +54,8 @@ public class HostJsonFileConfigurationProvider : ConfigurationProvider
                 "customHandler", "httpWorker", "extensions", "concurrency"
             };
 
+            private static readonly string[] CredentialNameFragments = new[] { "password", "pwd", "key", "secret", "token", "sas" };
+
             private readonly HostJsonFileConfigurationSource _configurationSource;
             private readonly Stack<string> _path;
             private readonly ILogger _logger;
@@ -275,14 +277,65 @@ private JObject TryAddBundleConfiguration(JObject content, string bundleId, stri
 
             internal static string SanitizeHostJson(JObject hostJsonObject)
             {
-                JObject sanitizedObject = new JObject();
+                static bool IsPotentialCredential(string name)
+                {
+                    foreach (string fragment in CredentialNameFragments)
+                    {
+                        if (name.Contains(fragment, StringComparison.OrdinalIgnoreCase))
+                        {
+                            return true;
+                        }
+                    }
+
+                    return false;
+                }
+
+                static JToken Sanitize(JToken token)
+                {
+                    if (token is JObject obj)
+                    {
+                        JObject sanitized = new JObject();
+                        foreach (var prop in obj)
+                        {
+                            if (IsPotentialCredential(prop.Key))
+                            {
+                                sanitized[prop.Key] = Sanitizer.SecretReplacement;
+                            }
+                            else
+                            {
+                                sanitized[prop.Key] = Sanitize(prop.Value);
+                            }
+                        }
 
+                        return sanitized;
+                    }
+
+                    if (token is JArray arr)
+                    {
+                        JArray sanitized = new JArray();
+                        foreach (var value in arr)
+                        {
+                            sanitized.Add(Sanitize(value));
+                        }
+
+                        return sanitized;
+                    }
+
+                    if (token.Type == JTokenType.String)
+                    {
+                        return Sanitizer.Sanitize(token.ToString());
+                    }
+
+                    return token;
+                }
+
+                JObject sanitizedObject = new JObject();
                 foreach (var propName in WellKnownHostJsonProperties)
                 {
                     var propValue = hostJsonObject[propName];
                     if (propValue != null)
                     {
-                        sanitizedObject[propName] = propValue;
+                        sanitizedObject[propName] = Sanitize(propValue);
                     }
                 }
 

src/WebJobs.Script/Sanitizer.cs

@@ -11,7 +11,7 @@ namespace Microsoft.Azure.WebJobs.Logging
     // Note: This file is shared between the WebJobs SDK and Script repos. Update both if changes are needed.
     internal static class Sanitizer
     {
-        private const string SecretReplacement = "[Hidden Credential]";
+        public const string SecretReplacement = "[Hidden Credential]";
         private static readonly char[] ValueTerminators = new char[] { '<', '"', '\'' };
 
         // List of keywords that should not be replaced with [Hidden Credential]

test/WebJobs.Script.Tests/Configuration/HostJsonFileConfigurationSourceTests.cs

@@ -160,7 +160,12 @@ public void Initialize_Sanitizes_HostJsonLog()
                 'logging': {
                     'categoryFilter': {
                         'defaultLevel': 'Information'
-                    }
+                    },
+                    'prop': 'Hey=AS1$@%#$%W-k2j"";SharedAccessKey=foo,Data Source=barzons,Server=bathouse""testing',
+                    'values': [ 'plain', 10, 'Password=hunter2' ],
+                    'my-password': 'hunter2',
+                    'service_token': 'token',
+                    'StorageSas': 'access'
                 },
                 'Values': {
                     'MyCustomValue': 'abc'
@@ -182,7 +187,12 @@ public void Initialize_Sanitizes_HostJsonLog()
                 'logging': {
                     'categoryFilter': {
                         'defaultLevel': 'Information'
-                    }
+                    },
+                    'prop': 'Hey=AS1$@%#$%W-k2j"";[Hidden Credential]""testing',
+                    'values': [ 'plain', 10, '[Hidden Credential]' ],
+                    'my-password': '[Hidden Credential]',
+                    'service_token': '[Hidden Credential]',
+                    'StorageSas': '[Hidden Credential]'
                 }
             }";