Merge pull request #974 from rbamberger/filter-log-messages

Handle Dynatrace API Token in the sanitizer
cloudfoundry · Jun 13, 2023 · 2b07d6c · 2b07d6c
2 parents b890725 + b44919f
commit 2b07d6c
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 2 deletions.
diff --git a/lib/java_buildpack/util/sanitizer.rb b/lib/java_buildpack/util/sanitizer.rb
@@ -18,14 +18,46 @@
 # A mixin that adds the ability to turn a +String+ into sanitized uri
 class String
 
+  # Takes the uri query params and strips out credentials
+  #
+  # @return [String] the sanitized query params
+  def handle_params(params)
+    keywords = /key
+               |password
+               |username
+               |cred(ential)*(s)*
+               |password
+               |token
+               |api[-_]token
+               |api
+               |auth(entication)*
+               |access[-_]token
+               |secret[-_]token/ix
+
+    query_params = ''
+
+    params.each do |key, _|
+      params[key] = '***' if key.match(keywords)
+      query_params += key + '=' + params[key] + '&'
+    end
+
+    query_params
+  end
+
   # Takes a uri and strips out any credentials it may contain.
   #
   # @return [String] the sanitized uri
   def sanitize_uri
     rich_uri          = URI(self)
     rich_uri.user     = nil
     rich_uri.password = nil
+
+    if rich_uri.query
+      params = (URI.decode_www_form rich_uri.query).to_h
+      query_params = handle_params(params)
+      rich_uri.query = query_params.chop
+    end
+
     rich_uri.to_s
   end
-
 end
diff --git a/spec/java_buildpack/util/sanitize_spec.rb b/spec/java_buildpack/util/sanitize_spec.rb
@@ -23,7 +23,23 @@
   include_context 'with application help'
 
   it 'sanitizes uri with credentials in' do
-    expect('https://myuser:mypass@myhost/path/to/file'.sanitize_uri).to eq('https://myhost/path/to/file')
+    expect('https://myuser:mypass@myhost/path/to/file'\
+           '?authentication=verysecret'\
+           '&cred=verysecret'\
+           '&password=verysecret'\
+           '&include=java'\
+           '&bitness=64'\
+           '&Api-Token=dt0c01.H67ALCXCXK7PWAAOQLENSRET.PRIVATEPART'\
+           '&secret-token=verysecret'\
+           '&token=123456789'.sanitize_uri).to eq('https://myhost/path/to/file'\
+                                                  '?authentication=***'\
+                                                  '&cred=***'\
+                                                  '&password=***'\
+                                                  '&include=java'\
+                                                  '&bitness=64'\
+                                                  '&Api-Token=***'\
+                                                  '&secret-token=***'\
+                                                  '&token=***')
   end
 
   it 'does not sanatize uri with no credentials in' do