Skip to content

Commit

Permalink
redact 'token' strings from logging
Browse files Browse the repository at this point in the history
It's common for users to set 'TOKEN' as an env var. While this is a little like whack-a-mole and we can't cover everything, this seems like a common string to redact.

Closes bazelbuild#16622.

PiperOrigin-RevId: 488392632
Change-Id: I7b48199cc140d6736cd145df63e03eeda747c7fb
(cherry picked from commit 1940c5d)
  • Loading branch information
mattem authored and meisterT committed Nov 14, 2022
1 parent 3bda5c9 commit 47051e5
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,15 @@
/** Utils for logging safely user commandlines. */
public class SafeRequestLogging {
private static final Pattern suppressFromLog =
Pattern.compile("--client_env=([^=]*(?:auth|pass|cookie)[^=]*)=", Pattern.CASE_INSENSITIVE);
Pattern.compile(
"--client_env=([^=]*(?:auth|pass|cookie|token)[^=]*)=", Pattern.CASE_INSENSITIVE);

private SafeRequestLogging() {}

/**
* Generates a string form of a request to be written to the logs, filtering the user environment
* to remove anything that looks private. The current filter criteria removes any variable whose
* name includes "auth", "pass", or "cookie".
* name includes "auth", "pass", "cookie" or "token".
*
* @return the filtered request to write to the log.
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,16 @@ public void testGetRequestLogStringStripsApparentPasswordValues() {
"[--client_env=dont_paSS_ME=__private_value_removed__, --client_env=other=isprinted]");
}

@Test
public void testGetRequestLogStringStripsApparentTokenValues() {
assertThat(
SafeRequestLogging.getRequestLogString(
ImmutableList.of(
"--client_env=service_ToKEn=notprinted", "--client_env=other=isprinted")))
.isEqualTo(
"[--client_env=service_ToKEn=__private_value_removed__, --client_env=other=isprinted]");
}

@Test
public void testGetRequestLogIgnoresSensitiveTermsInValues() {
assertThat(SafeRequestLogging.getRequestLogString(ImmutableList.of("--client_env=ok=COOKIE")))
Expand Down

0 comments on commit 47051e5

Please sign in to comment.