Don't leak passwords to the log

yast · Mar 13, 2024 · 32ea09d · 32ea09d
1 parent 2ac81c0
commit 32ea09d
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 0 deletions.
diff --git a/src/lib/y2network/connection_config/wireless.rb b/src/lib/y2network/connection_config/wireless.rb
@@ -78,6 +78,7 @@ class Wireless < Base
       attr_accessor :client_key
       # @return [String] client private key password
       attr_accessor :client_key_password
+      alias_method :super_inspect, :inspect
 
       def initialize
         super
@@ -113,6 +114,28 @@ def mode=(wireless_mode)
       def keys?
         !(keys || []).compact.all?(&:empty?)
       end
+
+      # Return a clone of this object with all sensitive fields (passwords etc.) obscured.
+      # Use this for log output to avoid leaking passwords.
+      def sanitized
+        san = dup
+        san.wpa_psk = sanitized_field(san.wpa_psk)
+        san.wpa_password = sanitized_field(san.wpa_password)
+        san.client_key_password = sanitized_field(san.client_key_password)
+
+        san
+      end
+
+      # Sanitize one field if it is non-nil and non-empty.
+      def sanitized_field(orig)
+        return orig if orig.nil? || orig.empty?
+
+        "<sanitized>".freeze
+      end
+
+      def inspect
+        sanitized.super_inspect
+      end
     end
   end
 end
diff --git a/test/y2network/config_test.rb b/test/y2network/config_test.rb
@@ -604,4 +604,52 @@
       expect(new_config.connections).to eq(updated_connections)
     end
   end
+
+  describe "#sanitized" do
+    let(:conn) do
+      Y2Network::ConnectionConfig::Wireless.new.tap do |c|
+        c.wpa_psk = "s3cr3t"
+        c.wpa_password = "s3cr3t"
+        c.client_key_password = "s3cr3t"
+      end
+    end
+
+    it "obscures the wpa_psk" do
+      expect(conn.wpa_psk).to eql("s3cr3t")
+      expect(conn.sanitized.wpa_psk).to eql("<sanitized>")
+    end
+
+    it "obscures the wpa_password" do
+      expect(conn.wpa_password).to eql("s3cr3t")
+      expect(conn.sanitized.wpa_password).to eql("<sanitized>")
+    end
+
+    it "obscures the client_key_password" do
+      expect(conn.client_key_password).to eql("s3cr3t")
+      expect(conn.sanitized.client_key_password).to eql("<sanitized>")
+    end
+
+    it "leaves the original untouched" do
+      expect(conn.sanitized.wpa_psk).to eql("<sanitized>")
+      expect(conn.wpa_psk).to eql("s3cr3t")
+    end
+  end
+
+  describe "#inspect" do
+    let(:conn) do
+      Y2Network::ConnectionConfig::Wireless.new.tap do |c|
+        c.wpa_psk = "s3cr3t"
+        c.wpa_password = "s3cr3t"
+        c.client_key_password = "s3cr3t"
+      end
+    end
+
+    it "does not leak a password" do
+      expect(conn.inspect).to_not match(/s3cr3t/)
+    end
+
+    it "contains <sanitized> instead of passwords" do
+      expect(conn.inspect).to match(/<sanitized>/)
+    end
+  end
 end