diff options
| author | Ronny <ronny@apache.org> | 2022-10-09 09:45:17 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-09 09:45:17 +0200 |
| commit | 0c584227350afe963d5c0acc8af45791200deb38 (patch) | |
| tree | d51a7abfc3ac168a9bb3c13e290c8daea90f7fb0 | |
| parent | 228b07ead3c9795bf41cddaa43ae4e43029e28a6 (diff) | |
| download | couchdb-0c584227350afe963d5c0acc8af45791200deb38.tar.gz | |
Redact passwords in log file (#4198)
In some log messages user passwords were not redacted. Move and
introduce a global helper function `remove_sensitive_data` to redact
passwords.
| -rw-r--r-- | src/couch/src/couch_util.erl | 7 | ||||
| -rw-r--r-- | src/setup/src/setup.erl | 4 | ||||
| -rw-r--r-- | src/setup/src/setup_httpd.erl | 15 |
3 files changed, 15 insertions, 11 deletions
diff --git a/src/couch/src/couch_util.erl b/src/couch/src/couch_util.erl index afce1e0a5..dc58e2bf6 100644 --- a/src/couch/src/couch_util.erl +++ b/src/couch/src/couch_util.erl @@ -45,6 +45,7 @@ -export([version_to_binary/1]). -export([verify_hash_names/2]). -export([get_config_hash_algorithms/0]). +-export([remove_sensitive_data/1]). -include_lib("couch/include/couch_db.hrl"). @@ -860,3 +861,9 @@ get_config_hash_algorithms() -> [] -> [?DEFAULT_HASH_ALGORITHM]; VerifiedHashNames -> VerifiedHashNames end. + +-spec remove_sensitive_data(list()) -> list(). +remove_sensitive_data(KVList) -> + KVList1 = lists:keyreplace(<<"password">>, 1, KVList, {<<"password">>, <<"****">>}), + % some KVList entries are atoms, so test fo this too + lists:keyreplace(password, 1, KVList1, {password, <<"****">>}). diff --git a/src/setup/src/setup.erl b/src/setup/src/setup.erl index 1757a43e7..35830284d 100644 --- a/src/setup/src/setup.erl +++ b/src/setup/src/setup.erl @@ -166,7 +166,7 @@ enable_cluster_int(Options, false) -> Port = proplists:get_value(port, Options), setup_node(NewCredentials, NewBindAddress, NodeCount, Port), - couch_log:debug("Enable Cluster: ~p~n", [Options]). + couch_log:debug("Enable Cluster: ~p~n", [couch_util:remove_sensitive_data(Options)]). set_admin(Username, Password) -> config:set("admins", binary_to_list(Username), binary_to_list(Password), #{sensitive => true}). @@ -325,7 +325,7 @@ add_node(Options) -> add_node_int(_Options, false) -> {error, cluster_not_enabled}; add_node_int(Options, true) -> - couch_log:debug("add node_int: ~p~n", [Options]), + couch_log:debug("add node_int: ~p~n", [couch_util:remove_sensitive_data(Options)]), ErlangCookie = erlang:get_cookie(), % POST to nodeB/_setup diff --git a/src/setup/src/setup_httpd.erl b/src/setup/src/setup_httpd.erl index 418a72845..ac688c4c6 100644 --- a/src/setup/src/setup_httpd.erl +++ b/src/setup/src/setup_httpd.erl @@ -19,7 +19,7 @@ handle_setup_req(#httpd{method = 'POST'} = Req) -> ok = chttpd:verify_is_server_admin(Req), couch_httpd:validate_ctype(Req, "application/json"), Setup = get_body(Req), - couch_log:notice("Setup: ~p~n", [remove_sensitive(Setup)]), + couch_log:notice("Setup: ~p~n", [couch_util:remove_sensitive_data(Setup)]), Action = binary_to_list(couch_util:get_value(<<"action">>, Setup, <<"missing">>)), case handle_action(Action, Setup) of ok -> @@ -92,7 +92,7 @@ handle_action("enable_cluster", Setup) -> ok end; handle_action("finish_cluster", Setup) -> - couch_log:notice("finish_cluster: ~p~n", [remove_sensitive(Setup)]), + couch_log:notice("finish_cluster: ~p~n", [couch_util:remove_sensitive_data(Setup)]), Options = get_options( [ @@ -108,7 +108,7 @@ handle_action("finish_cluster", Setup) -> ok end; handle_action("enable_single_node", Setup) -> - couch_log:notice("enable_single_node: ~p~n", [remove_sensitive(Setup)]), + couch_log:notice("enable_single_node: ~p~n", [couch_util:remove_sensitive_data(Setup)]), Options = get_options( [ @@ -129,7 +129,7 @@ handle_action("enable_single_node", Setup) -> ok end; handle_action("add_node", Setup) -> - couch_log:notice("add_node: ~p~n", [remove_sensitive(Setup)]), + couch_log:notice("add_node: ~p~n", [couch_util:remove_sensitive_data(Setup)]), Options = get_options( [ @@ -154,9 +154,9 @@ handle_action("add_node", Setup) -> ok end; handle_action("remove_node", Setup) -> - couch_log:notice("remove_node: ~p~n", [remove_sensitive(Setup)]); + couch_log:notice("remove_node: ~p~n", [couch_util:remove_sensitive_data(Setup)]); handle_action("receive_cookie", Setup) -> - couch_log:notice("receive_cookie: ~p~n", [remove_sensitive(Setup)]), + couch_log:notice("receive_cookie: ~p~n", [couch_util:remove_sensitive_data(Setup)]), Options = get_options( [ {cookie, <<"cookie">>} @@ -181,6 +181,3 @@ get_body(Req) -> couch_log:notice("Body Fail: ~p~n", [Else]), couch_httpd:send_error(Req, 400, <<"bad_request">>, <<"Missing JSON body'">>) end. - -remove_sensitive(KVList) -> - lists:keyreplace(<<"password">>, 1, KVList, {<<"password">>, <<"****">>}). |