Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-12 00:15:44 +01:00
Code Issues Packages Projects Releases Activity

do not log sensitive cgi env variables

Browse Source
This commit is contained in:
Sebastian Sdorra
2012-10-17 12:45:51 +02:00
parent 8552b564f1
commit 101c399079
2 changed files with 104 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
scm-core/src/main/java/sonia/scm/web/cgi/EnvList.java
View File

@@ -35,6 +35,8 @@ package sonia.scm.web.cgi;
//~--- non-JDK imports -------------------------------------------------------- //~--- non-JDK imports --------------------------------------------------------
import com.google.common.collect.ImmutableSet;
import sonia.scm.util.Util; import sonia.scm.util.Util;
//~--- JDK imports ------------------------------------------------------------ //~--- JDK imports ------------------------------------------------------------
@@ -50,6 +52,12 @@ import java.util.Map;
public class EnvList public class EnvList
{ {
/** Field description */
private static final ImmutableSet<String> SENSITIVE =
ImmutableSet.of("HTTP_AUTHORIZATION", "SCM_CHALLENGE", "SCM_CREDENTIALS");
//~--- constructors ---------------------------------------------------------
/** /**
* Constructs ... * Constructs ...
* *
@@ -97,18 +105,14 @@ public class EnvList
String s = System.getProperty("line.separator"); String s = System.getProperty("line.separator");
StringBuilder out = new StringBuilder("Environment:"); StringBuilder out = new StringBuilder("Environment:");
out.append(s);
Iterator<String> it = envMap.values().iterator(); Iterator<String> it = envMap.values().iterator();
String v;
while (it.hasNext()) while (it.hasNext())
{ {
out.append(" ").append(it.next()); v = converSensitive(it.next());
out.append(s).append(" ").append(v);
if (it.hasNext())
{
out.append(s);
}
} }
return out.toString(); return out.toString();
@@ -139,6 +143,33 @@ public class EnvList
envMap.put(name, name.concat("=").concat(Util.nonNull(value))); envMap.put(name, name.concat("=").concat(Util.nonNull(value)));
} }
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @param v
*
* @return
*/
private String converSensitive(String v)
{
String result = v;
for (String s : SENSITIVE)
{
if (v.startsWith(s))
{
result = s.concat("=(is set)");
break;
}
}
return result;
}
//~--- fields --------------------------------------------------------------- //~--- fields ---------------------------------------------------------------
/** Field description */ /** Field description */

65
scm-core/src/test/java/sonia/scm/web/cgi/EnvListTest.java Normal file
View File

@@ -0,0 +1,65 @@
/**
* Copyright (c) 2010, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.web.cgi;
//~--- non-JDK imports --------------------------------------------------------
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Sebastian Sdorra
*/
public class EnvListTest
{
/**
* Method description
*
*/
@Test
public void testToString()
{
EnvList envList = new EnvList();
envList.set("HTTP_AUTHORIZATION", "Basic xxx");
envList.set("SOME_OTHER", "other");
String value = envList.toString();
assertTrue(value.contains("SOME_OTHER=other"));
assertFalse(value.contains("HTTP_AUTHORIZATION=Basic xxx"));
assertTrue(value.contains("HTTP_AUTHORIZATION=(is set)"));
}
}