From 1bd314b8d2d1f2d561a32f62ebc022bbdcd90a36 Mon Sep 17 00:00:00 2001 From: michaeloffner Date: Thu, 5 Oct 2023 09:15:53 +0200 Subject: [PATCH] LDEV-4718 - filter out secret --- .../lucee/runtime/exp/PageExceptionImpl.java | 36 +++- loader/build.xml | 2 +- loader/pom.xml | 2 +- test/functions/StoreACL.cfc | 164 ------------------ test/functions/StoreGetMetaData.cfc | 100 ----------- 5 files changed, 36 insertions(+), 268 deletions(-) delete mode 100644 test/functions/StoreACL.cfc delete mode 100644 test/functions/StoreGetMetaData.cfc diff --git a/core/src/main/java/lucee/runtime/exp/PageExceptionImpl.java b/core/src/main/java/lucee/runtime/exp/PageExceptionImpl.java index 5c3dd154df..ec4713235e 100755 --- a/core/src/main/java/lucee/runtime/exp/PageExceptionImpl.java +++ b/core/src/main/java/lucee/runtime/exp/PageExceptionImpl.java @@ -103,7 +103,7 @@ public PageExceptionImpl(String message, String type) { * @param customType CUstom Type as String */ public PageExceptionImpl(String message, String type, String customType) { - super(message == null ? "" : message); + super(filterSecrets(message == null ? "" : message, 0)); // rootCause=this; this.type = type.toLowerCase().trim(); this.customType = customType; @@ -117,7 +117,7 @@ public PageExceptionImpl(String message, String type, String customType) { * @param type Type as String */ public PageExceptionImpl(Throwable e, String type) { - super(StringUtil.isEmpty(e.getMessage(), true) ? e.getClass().getName() : e.getMessage()); + super(filterSecrets(StringUtil.isEmpty(e.getMessage(), true) ? e.getClass().getName() : e.getMessage(), 0)); if (e instanceof InvocationTargetException) e = ((InvocationTargetException) e).getTargetException(); // Throwable cause = e.getCause(); @@ -135,6 +135,38 @@ public PageExceptionImpl(Throwable e, String type) { this.type = type.trim(); } + private static String filterSecrets(String msg, int startIndex) { + if (!StringUtil.isEmpty(msg)) { + // S3 secret + startIndex = StringUtil.indexOfIgnoreCase(msg, "s3://", startIndex); + if (startIndex != -1) { + startIndex += 5; + int atIndex = msg.indexOf('@', startIndex + 1); + int colonIndex = msg.indexOf(':', startIndex + 1); + int slashIndex = msg.indexOf('/', startIndex + 1); + if (atIndex != -1) { + if (colonIndex != -1 && colonIndex < atIndex) { + String secretAccessKey = msg.substring(colonIndex + 1, atIndex); + int index = secretAccessKey.indexOf(':'); + if (index != -1) { + secretAccessKey = secretAccessKey.substring(0, index); + } + msg = filterSecrets(StringUtil.replace(msg, secretAccessKey, "{SECRET_ACCESS_KEY}"), atIndex); + } + } + if (slashIndex != -1) { + String secretAccessKey = msg.substring(colonIndex + 1, slashIndex); + int index = secretAccessKey.indexOf(':'); + if (index != -1) { + secretAccessKey = secretAccessKey.substring(0, index); + } + msg = filterSecrets(StringUtil.replace(msg, secretAccessKey, "{SECRET_ACCESS_KEY}"), slashIndex); + } + } + } + return msg; + } + @Override public String getDetail() { if (detail == null || detail.equals(getMessage())) return ""; diff --git a/loader/build.xml b/loader/build.xml index 5e547837d5..3f3af7baa8 100644 --- a/loader/build.xml +++ b/loader/build.xml @@ -2,7 +2,7 @@ - + diff --git a/loader/pom.xml b/loader/pom.xml index 5a17986053..4d3c09112c 100644 --- a/loader/pom.xml +++ b/loader/pom.xml @@ -3,7 +3,7 @@ org.lucee lucee - 6.0.0.572-SNAPSHOT + 6.0.0.573-SNAPSHOT jar Lucee Loader Build diff --git a/test/functions/StoreACL.cfc b/test/functions/StoreACL.cfc deleted file mode 100644 index 677c28e089..0000000000 --- a/test/functions/StoreACL.cfc +++ /dev/null @@ -1,164 +0,0 @@ - -component extends="org.lucee.cfml.test.LuceeTestCase" labels="s3" { - - //public function beforeTests(){} - - //public function afterTests(){} - - private function isNewS3(){ - qry= extensionlist(false); - isNewS3=false; - loop query=qry { - if(qry.id=="17AB52DE-B300-A94B-E058BD978511E39E") { - if(left(qry.version,1)>=2) return true; - } - } - return false; - } - - - private struct function getCredentials() { - return server.getTestService("s3"); - } - - public function setUp(){ - var s3=getCredentials(); - if(!isNull(s3.accessKeyId)) { - application action="update" s3=s3; - variables.s3Supported=true; - variables.s3_bucket_prefix = s3.BUCKET_PREFIX; - } - else - variables.s3Supported=false; - } - - public function testStoreAddACLBucket() localMode=true { - if(variables.s3Supported) { - try{ - testStoreACL("s3://#variables.s3_bucket_prefix#addaclbucket",true,true); - } - finally { - directoryDelete("s3://#variables.s3_bucket_prefix#addaclbucket",true); - } - } - } - - public function testStoreSetACLBucket() localMode=true { - if(variables.s3Supported) { - try{ - testStoreACL("s3://#variables.s3_bucket_prefix#setaclbucket2",true,false); - } - finally { - directoryDelete("s3://#variables.s3_bucket_prefix#setaclbucket2",true); - } - } - } - - public function testStoreAddACLObject() localMode=true { - if(variables.s3Supported) { - try{ - testStoreACL("s3://#variables.s3_bucket_prefix#addaclobject/sub12234",false,true); - } - finally { - directoryDelete("s3://#variables.s3_bucket_prefix#addaclobject",true); - } - } - } - - public function testStoreSetACLObject() localMode=true { - if(variables.s3Supported) { - try{ - testStoreACL("s3://#variables.s3_bucket_prefix#setaclobject2/sub12234",false,false); - } - finally { - directoryDelete("s3://#variables.s3_bucket_prefix#setaclobject2",true); - } - } - } - - private function testStoreACL(required dir, required boolean bucket, required boolean add) localMode=true { - start=getTickCount(); - - if(DirectoryExists(dir)) directoryDelete(dir,true); - - assertFalse(DirectoryExists(dir)); - directoryCreate(dir); - - // check inital data - var acl=StoreGetACL(dir); - if(bucket || isNewS3()) {// newer S3 extension no longer set public read by default for objects - assertEquals(1,acl.len()); - assertEquals("FULL_CONTROL",toList(acl,"permission")); - assertEquals("info",toList(acl,"displayName")); - //var id=acl[1].id; - } - else { - assertEquals(2,acl.len()); - assertEquals("FULL_CONTROL,READ",toList(acl,"permission")); - assertEquals("all",toList(acl,"group")); - assertEquals("info",toList(acl,"displayName")); - } - - - // add ACL - if(add) { - arr=[{'group':"authenticated",'permission':"WRITE"}]; - StoreAddACL(dir,arr); - - // test output - var acl=StoreGetACL(dir); - - if(bucket || isNewS3()) {// newer S3 extension no longer set public read by default for objects - assertEquals(2,acl.len()); - assertEquals("FULL_CONTROL,WRITE",toList(acl,"permission")); - assertEquals("authenticated",toList(acl,"group")); - } - else { - assertEquals(3,acl.len()); - assertEquals("FULL_CONTROL,READ,WRITE",toList(acl,"permission")); - assertEquals("all,authenticated",toList(acl,"group")); - } - } - // set ACL - else { - arr=[{'group':"authenticated",'permission':"WRITE"}]; - StoreSetACL(dir,arr); - - // test output - var acl=StoreGetACL(dir); - - assertEquals(1,acl.len()); - assertEquals("WRITE",toList(acl,"permission")); - assertEquals("authenticated",toList(acl,"group")); - } - } - - - private function toList(arr,key){ - var rtn=""; - loop array=arr item="local.sct" { - if(!isNull(sct[key]))rtn=listAppend(rtn,sct[key]); - } - return listSort(rtn,"textnoCase"); - } - -} - \ No newline at end of file diff --git a/test/functions/StoreGetMetaData.cfc b/test/functions/StoreGetMetaData.cfc deleted file mode 100644 index 4596db5c02..0000000000 --- a/test/functions/StoreGetMetaData.cfc +++ /dev/null @@ -1,100 +0,0 @@ - -component extends="org.lucee.cfml.test.LuceeTestCase" labels="s3" { - //public function beforeTests(){} - - //public function afterTests(){} - - - private struct function getCredentials() { - return server.getTestService("s3"); - } - - public function setUp(){ - var s3=getCredentials(); - if(!isNull(s3.ACCESS_KEY_ID)) { - application action="update" s3={ - accessKeyId: s3.ACCESS_KEY_ID, - awsSecretKey: s3.SECRET_KEY - }; - variables.s3Supported=true; - } else { - variables.s3Supported=false; - } - } - - public function testStoreMetadata() localMode=true { - if(!variables.s3Supported) return; - - var dir="s3://" & server.getTestService("s3").bucket_prefix & "metadata-#lcase(hash(CreateGUID()))#/"; - if ( directoryExists( dir ) ) - directoryDelete( dir, true ); - try { - assertFalse(DirectoryExists( dir ) ); - directoryCreate( dir ) ; - - var obj = dir & "/object/"; // can't create metadata on a bucket - directoryCreate( obj ); - - var md = storeGetMetaData( obj ); - var countBefore = structCount( md ); - storesetMetaData( obj, {"susi":"Susanne"} ); - var md = storeGetMetaData( obj ); - assertEquals( countBefore+1, structCount( md ) ); - assertEquals( "Susanne", md.susi ); - } - finally { - if ( directoryExists( dir ) ) - directoryDelete( dir, true ); - } - } - - private string function getTestBucketUrl() localmode=true { - s3Details = getCredentials(); - bucketName = server.getTestService("s3").bucket_prefix & lcase("metadata2-#lcase(hash(CreateGUID()))#"); - return "s3://#s3Details.ACCESS_KEY_ID#:#s3Details.SECRET_KEY#@/#bucketName#"; - } - - private numeric function checkS3Version(){ - var s3Version = extensionList().filter(function(row){ - return (row.name contains "s3"); - }).version; - return listFirst( s3Version, "." ) ; - }; - - public function testS3Url(){ - if(!variables.s3Supported) return; - if ( checkS3Version() gt 0 ) - return; // only works with v2 due to https://luceeserver.atlassian.net/browse/LDEV-4202 - var bucket = getTestBucketUrl(); - try { - expect( directoryExists( bucket ) ).toBeFalse(); - directory action="create" directory="#bucket#"; - expect( directoryExists( bucket ) ).toBeTrue(); - var info = StoreGetMetadata( bucket ); - expect( info ).toHaveKey( "region" ); - expect( info.region ).toBe( "us-east-1" ); - } finally { - if ( directoryExists( bucket ) ) - directoryDelete( bucket ); - } - } -} - \ No newline at end of file