From e2be18ad341084a3eae0a7192c063de6abe8ff2b Mon Sep 17 00:00:00 2001 From: Rene Bamberger Date: Mon, 3 Oct 2022 14:45:03 +0200 Subject: [PATCH 1/4] Handle Dynatrace API Token in the sanitizer --- lib/java_buildpack/util/sanitizer.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/java_buildpack/util/sanitizer.rb b/lib/java_buildpack/util/sanitizer.rb index 29253e07fd..c2dbac667f 100644 --- a/lib/java_buildpack/util/sanitizer.rb +++ b/lib/java_buildpack/util/sanitizer.rb @@ -25,6 +25,7 @@ def sanitize_uri rich_uri = URI(self) rich_uri.user = nil rich_uri.password = nil + rich_uri.query = rich_uri.query&.gsub(/(Api-Token=dt\w*\.\w*)\.\w*/, '\1.REDACTED') rich_uri.to_s end From 10ea15aee24115eb5fdf47a48ad48d203ede03a0 Mon Sep 17 00:00:00 2001 From: Rene Bamberger Date: Mon, 5 Dec 2022 15:24:01 +0100 Subject: [PATCH 2/4] Remove sensitive information from URI query parameters --- lib/java_buildpack/util/sanitizer.rb | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/lib/java_buildpack/util/sanitizer.rb b/lib/java_buildpack/util/sanitizer.rb index c2dbac667f..68f6a26a37 100644 --- a/lib/java_buildpack/util/sanitizer.rb +++ b/lib/java_buildpack/util/sanitizer.rb @@ -22,11 +22,32 @@ class String # # @return [String] the sanitized uri def sanitize_uri + keywords = /key|password|username|cred[entials]*[s]*|password|token|api[-_]token|api|auth[entication]*|access[-_]token|secret[-_]token/i + rich_uri = URI(self) rich_uri.user = nil rich_uri.password = nil - rich_uri.query = rich_uri.query&.gsub(/(Api-Token=dt\w*\.\w*)\.\w*/, '\1.REDACTED') + + if(rich_uri.query) + params = Hash[URI.decode_www_form rich_uri.query] + + query_params = "" + + params.each do |key,value| + match = key.match(keywords) + + if(match) + if(match[0] == "Api-Token" && value =~ /dt\w*/) + params[key] = value.gsub(/(dt\w*\.\w*)\.\w*/, '\1.REDACTED') + else + params[key] = "***" + end + end + + query_params += key + "=" + params[key] + "&" + end + rich_uri.query = query_params.chop + end rich_uri.to_s end - end From f73c65b428425ead78df5a9847453bb13cbfd681 Mon Sep 17 00:00:00 2001 From: Rene Bamberger Date: Mon, 23 Jan 2023 08:28:41 +0100 Subject: [PATCH 3/4] Tests added --- lib/java_buildpack/util/sanitizer.rb | 59 +++++++++++++++-------- spec/java_buildpack/util/sanitize_spec.rb | 18 ++++++- 2 files changed, 56 insertions(+), 21 deletions(-) diff --git a/lib/java_buildpack/util/sanitizer.rb b/lib/java_buildpack/util/sanitizer.rb index 68f6a26a37..eafb4729b7 100644 --- a/lib/java_buildpack/util/sanitizer.rb +++ b/lib/java_buildpack/util/sanitizer.rb @@ -18,36 +18,55 @@ # A mixin that adds the ability to turn a +String+ into sanitized uri class String + # Takes the uri query params and strips out credentials + # + # @return [String] the sanitized query params + def handle_params(params) + keywords = /key + |password + |username + |cred(ential)*(s)* + |password + |token + |api[-_]token + |api + |auth(entication)* + |access[-_]token + |secret[-_]token/ix + + query_params = '' + + params.each do |key, value| + match = key.match(keywords) + + if match + params[key] = if match[0] == 'Api-Token' && value =~ /dt\w*/ + value.gsub(/(dt\w*\.\w*)\.\w*/, '\1.REDACTED') + else + '***' + end + end + + query_params += key + '=' + params[key] + '&' + end + + query_params + end + # Takes a uri and strips out any credentials it may contain. # # @return [String] the sanitized uri def sanitize_uri - keywords = /key|password|username|cred[entials]*[s]*|password|token|api[-_]token|api|auth[entication]*|access[-_]token|secret[-_]token/i - rich_uri = URI(self) rich_uri.user = nil rich_uri.password = nil - if(rich_uri.query) - params = Hash[URI.decode_www_form rich_uri.query] - - query_params = "" - - params.each do |key,value| - match = key.match(keywords) - - if(match) - if(match[0] == "Api-Token" && value =~ /dt\w*/) - params[key] = value.gsub(/(dt\w*\.\w*)\.\w*/, '\1.REDACTED') - else - params[key] = "***" - end - end - - query_params += key + "=" + params[key] + "&" - end + if rich_uri.query + params = (URI.decode_www_form rich_uri.query).to_h + query_params = handle_params(params) rich_uri.query = query_params.chop end + rich_uri.to_s end end diff --git a/spec/java_buildpack/util/sanitize_spec.rb b/spec/java_buildpack/util/sanitize_spec.rb index 290243e18b..59609ea91d 100644 --- a/spec/java_buildpack/util/sanitize_spec.rb +++ b/spec/java_buildpack/util/sanitize_spec.rb @@ -23,7 +23,23 @@ include_context 'with application help' it 'sanitizes uri with credentials in' do - expect('https://myuser:mypass@myhost/path/to/file'.sanitize_uri).to eq('https://myhost/path/to/file') + expect('https://myuser:mypass@myhost/path/to/file'\ + '?authentication=verysecret'\ + '&cred=verysecret'\ + '&password=verysecret'\ + '&include=java'\ + '&bitness=64'\ + '&Api-Token=dt0c01.H67ALCXCXK7PWAAOQLENSRET.PRIVATEPART'\ + '&secret-token=verysecret'\ + '&token=123456789'.sanitize_uri).to eq('https://myhost/path/to/file'\ + '?authentication=***'\ + '&cred=***'\ + '&password=***'\ + '&include=java'\ + '&bitness=64'\ + '&Api-Token=dt0c01.H67ALCXCXK7PWAAOQLENSRET.REDACTED'\ + '&secret-token=***'\ + '&token=***') end it 'does not sanatize uri with no credentials in' do From b44919f0ee40325a854949d459cf4d742652f4de Mon Sep 17 00:00:00 2001 From: Rene Bamberger Date: Wed, 19 Apr 2023 09:26:25 +0200 Subject: [PATCH 4/4] special handling for token removed --- lib/java_buildpack/util/sanitizer.rb | 13 ++----------- spec/java_buildpack/util/sanitize_spec.rb | 2 +- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/lib/java_buildpack/util/sanitizer.rb b/lib/java_buildpack/util/sanitizer.rb index eafb4729b7..6f1f5de2df 100644 --- a/lib/java_buildpack/util/sanitizer.rb +++ b/lib/java_buildpack/util/sanitizer.rb @@ -36,17 +36,8 @@ def handle_params(params) query_params = '' - params.each do |key, value| - match = key.match(keywords) - - if match - params[key] = if match[0] == 'Api-Token' && value =~ /dt\w*/ - value.gsub(/(dt\w*\.\w*)\.\w*/, '\1.REDACTED') - else - '***' - end - end - + params.each do |key, _| + params[key] = '***' if key.match(keywords) query_params += key + '=' + params[key] + '&' end diff --git a/spec/java_buildpack/util/sanitize_spec.rb b/spec/java_buildpack/util/sanitize_spec.rb index 59609ea91d..f7c929a48f 100644 --- a/spec/java_buildpack/util/sanitize_spec.rb +++ b/spec/java_buildpack/util/sanitize_spec.rb @@ -37,7 +37,7 @@ '&password=***'\ '&include=java'\ '&bitness=64'\ - '&Api-Token=dt0c01.H67ALCXCXK7PWAAOQLENSRET.REDACTED'\ + '&Api-Token=***'\ '&secret-token=***'\ '&token=***') end