MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Redact LDAP password if any in request trace (#11750) 

Fixes: #11742
This commit is contained in:
Poorna Krishnamoorthy 2021-03-09 14:43:16 -08:00 committed by GitHub
parent fdc2f69218
commit 878bc6c72b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 63 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
cmd/http-tracer.go
View File

@ -23,6 +23,7 @@ import (
"net"
"net/http"
"reflect"
"regexp"
"runtime"
"strconv"
"strings"
@ -80,6 +81,17 @@ func (r *recordRequest) Data() []byte {
return logger.BodyPlaceHolder
}
var ldapPwdRegex = regexp.MustCompile("(^.*?)LDAPPassword=([^&]*?)(&(.*?))?$")
// redact LDAP password if part of string
func redactLDAPPwd(s string) string {
parts := ldapPwdRegex.FindStringSubmatch(s)
if len(parts) > 0 {
return parts[1] + "LDAPPassword=*REDACTED*" + parts[3]
}
return s
}
// getOpName sanitizes the operation name for mc
func getOpName(name string) (op string) {
op = strings.TrimPrefix(name, "github.com/minio/minio/cmd.")
@ -129,7 +141,7 @@ func WebTrace(ri *jsonrpc.RequestInfo) trace.Info {
Proto: r.Proto,
Method: r.Method,
Path: SlashSeparator + pathJoin(vars["bucket"], vars["object"]),
RawQuery: r.URL.RawQuery,
RawQuery: redactLDAPPwd(r.URL.RawQuery),
Client: handlers.GetSourceIP(r),
Headers: reqHeaders,
}

50
cmd/http-tracer_test.go Normal file
View File

@ -0,0 +1,50 @@
/*
* MinIO Cloud Storage, (C) 2021 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package cmd
import (
"testing"
)
// Test redactLDAPPwd()
func TestRedactLDAPPwd(t *testing.T) {
testCases := []struct {
query string
expectedQuery string
}{
{"", ""},
{"?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername&LDAPPassword=can+youreadthis%3F&Version=2011-06-15",
"?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername&LDAPPassword=*REDACTED*&Version=2011-06-15",
},
{"LDAPPassword=can+youreadthis%3F&Version=2011-06-15&?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername",
"LDAPPassword=*REDACTED*&Version=2011-06-15&?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername",
},
{"?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername&Version=2011-06-15&LDAPPassword=can+youreadthis%3F",
"?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername&Version=2011-06-15&LDAPPassword=*REDACTED*",
},
{
"?x=y&a=b",
"?x=y&a=b",
},
}
for i, test := range testCases {
gotQuery := redactLDAPPwd(test.query)
if gotQuery != test.expectedQuery {
t.Fatalf("test %d: expected %s got %s", i+1, test.expectedQuery, gotQuery)
}
}
}