Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PoC: Guard secret attributes against leaking to the logs V1.0 #1359

Closed
wants to merge 1 commit into from
Closed

PoC: Guard secret attributes against leaking to the logs V1.0 #1359

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions src/lib/y2network/connection_config/wireless.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ class Wireless < Base
attr_accessor :client_key
# @return [String] client private key password
attr_accessor :client_key_password
alias_method :super_inspect, :inspect

def initialize
super
Expand Down Expand Up @@ -113,6 +114,28 @@ def mode=(wireless_mode)
def keys?
!(keys || []).compact.all?(&:empty?)
end

# Return a clone of this object with all sensitive fields (passwords etc.) obscured.
# Use this for log output to avoid leaking passwords.
def sanitized
san = dup
san.wpa_psk = sanitized_field(san.wpa_psk)
san.wpa_password = sanitized_field(san.wpa_password)
san.client_key_password = sanitized_field(san.client_key_password)

san
end

# Sanitize one field if it is non-nil and non-empty.
def sanitized_field(orig)
return orig if orig.nil? || orig.empty?

"<sanitized>".freeze
end

def inspect
sanitized.super_inspect
end
end
end
end
48 changes: 48 additions & 0 deletions test/y2network/config_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -604,4 +604,52 @@
expect(new_config.connections).to eq(updated_connections)
end
end

describe "#sanitized" do
let(:conn) do
Y2Network::ConnectionConfig::Wireless.new.tap do |c|
c.wpa_psk = "s3cr3t"
c.wpa_password = "s3cr3t"
c.client_key_password = "s3cr3t"
end
end

it "obscures the wpa_psk" do
expect(conn.wpa_psk).to eql("s3cr3t")
expect(conn.sanitized.wpa_psk).to eql("<sanitized>")
end

it "obscures the wpa_password" do
expect(conn.wpa_password).to eql("s3cr3t")
expect(conn.sanitized.wpa_password).to eql("<sanitized>")
end

it "obscures the client_key_password" do
expect(conn.client_key_password).to eql("s3cr3t")
expect(conn.sanitized.client_key_password).to eql("<sanitized>")
end

it "leaves the original untouched" do
expect(conn.sanitized.wpa_psk).to eql("<sanitized>")
expect(conn.wpa_psk).to eql("s3cr3t")
end
end

describe "#inspect" do
let(:conn) do
Y2Network::ConnectionConfig::Wireless.new.tap do |c|
c.wpa_psk = "s3cr3t"
c.wpa_password = "s3cr3t"
c.client_key_password = "s3cr3t"
end
end

it "does not leak a password" do
expect(conn.inspect).to_not match(/s3cr3t/)
end

it "contains <sanitized> instead of passwords" do
expect(conn.inspect).to match(/<sanitized>/)
end
end
end
Loading