Commits

Sebastian Sdorra  committed 3caf71b

do not log sensitive cgi env variables

  • Participants
  • Parent commits add95a3

Comments (0)

Files changed (2)

File scm-core/src/main/java/sonia/scm/web/cgi/EnvList.java

 
 //~--- non-JDK imports --------------------------------------------------------
 
+import com.google.common.collect.ImmutableSet;
+
 import sonia.scm.util.Util;
 
 //~--- JDK imports ------------------------------------------------------------
 public class EnvList
 {
 
+  /** Field description */
+  private static final ImmutableSet<String> SENSITIVE =
+    ImmutableSet.of("HTTP_AUTHORIZATION", "SCM_CHALLENGE", "SCM_CREDENTIALS");
+
+  //~--- constructors ---------------------------------------------------------
+
   /**
    *    Constructs ...
    *
     String s = System.getProperty("line.separator");
     StringBuilder out = new StringBuilder("Environment:");
 
-    out.append(s);
+    Iterator<String> it = envMap.values().iterator();
 
-    Iterator<String> it = envMap.values().iterator();
+    String v;
 
     while (it.hasNext())
     {
-      out.append("  ").append(it.next());
-
-      if (it.hasNext())
-      {
-        out.append(s);
-      }
+      v = converSensitive(it.next());
+      out.append(s).append("  ").append(v);
     }
 
     return out.toString();
     envMap.put(name, name.concat("=").concat(Util.nonNull(value)));
   }
 
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @param v
+   *
+   * @return
+   */
+  private String converSensitive(String v)
+  {
+    String result = v;
+
+    for (String s : SENSITIVE)
+    {
+      if (v.startsWith(s))
+      {
+        result = s.concat("=(is set)");
+
+        break;
+      }
+    }
+
+    return result;
+  }
+
   //~--- fields ---------------------------------------------------------------
 
   /** Field description */

File scm-core/src/test/java/sonia/scm/web/cgi/EnvListTest.java

+/**
+ * Copyright (c) 2010, Sebastian Sdorra All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer. 2. Redistributions in
+ * binary form must reproduce the above copyright notice, this list of
+ * conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. 3. Neither the name of SCM-Manager;
+ * nor the names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.web.cgi;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ */
+public class EnvListTest
+{
+
+  /**
+   * Method description
+   *
+   */
+  @Test
+  public void testToString()
+  {
+    EnvList envList = new EnvList();
+
+    envList.set("HTTP_AUTHORIZATION", "Basic xxx");
+    envList.set("SOME_OTHER", "other");
+
+    String value = envList.toString();
+
+    assertTrue(value.contains("SOME_OTHER=other"));
+    assertFalse(value.contains("HTTP_AUTHORIZATION=Basic xxx"));
+    assertTrue(value.contains("HTTP_AUTHORIZATION=(is set)"));
+  }
+}