Ensure we mask sensitive data from Mistral Action logs
Mistral didn't make use of the oslo_utils "mask_password" methods,
leading in sensitive data leakage in its logs.
This patch corrects this security issue.
Note that it depends on oslo_utils patch adding new patterns, and
ensuring it's case-insensitive.
Change-Id: I544d3c172f2dea02c62c49c311c4b5954413ae15
Related-Bug: #1850843
Co-Authored-By: Dougal Matthews <dougal@redhat.com>
Signed-off-by: Cédric Jeanneret <cjeanner@redhat.com>
(cherry picked from commit f51d2a21c0
)
This commit is contained in:
parent
e49a29ac49
commit
1265d9d53a
|
@ -32,8 +32,11 @@ class Result(serialization.MistralSerializable):
|
|||
)
|
||||
|
||||
def cut_repr(self):
|
||||
_data = utils.mask_data(self.data)
|
||||
_error = utils.mask_data(self.error)
|
||||
_cancel = utils.mask_data(self.cancel)
|
||||
return 'Result [data=%s, error=%s, cancel=%s]' % (
|
||||
utils.cut(self.data), utils.cut(self.error), str(self.cancel)
|
||||
utils.cut(_data), utils.cut(_error), str(_cancel)
|
||||
)
|
||||
|
||||
def is_cancel(self):
|
||||
|
|
|
@ -84,3 +84,20 @@ class TestUtils(tests_base.TestCase):
|
|||
s = utils.cut_dict(d, 100)
|
||||
|
||||
self.assertIn(s, ["{1: 2, 3: 4}", "{3: 4, 1: 2}"])
|
||||
|
||||
def test_mask_data(self):
|
||||
payload = {'adminPass': 'fooBarBaz'}
|
||||
expected = {'adminPass': '***'}
|
||||
self.assertEqual(expected, utils.mask_data(payload))
|
||||
|
||||
payload = """adminPass='fooBarBaz'"""
|
||||
expected = """adminPass='***'"""
|
||||
self.assertEqual(expected, utils.mask_data(payload))
|
||||
|
||||
payload = [{'adminPass': 'fooBarBaz'}, {"new_pass": "blah"}]
|
||||
expected = [{'adminPass': '***'}, {"new_pass": "***"}]
|
||||
self.assertEqual(expected, utils.mask_data(payload))
|
||||
|
||||
payload = ["adminPass", 'fooBarBaz']
|
||||
expected = ["adminPass", 'fooBarBaz']
|
||||
self.assertEqual(expected, utils.mask_data(payload))
|
||||
|
|
|
@ -14,6 +14,8 @@
|
|||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
from oslo_utils.strutils import mask_dict_password
|
||||
from oslo_utils.strutils import mask_password
|
||||
|
||||
|
||||
def cut_dict(d, length=100):
|
||||
|
@ -139,3 +141,12 @@ def cut(data, length=100):
|
|||
return cut_dict(data, length=length)
|
||||
|
||||
return cut_string(str(data), length=length)
|
||||
|
||||
|
||||
def mask_data(obj):
|
||||
if isinstance(obj, dict):
|
||||
return mask_dict_password(obj)
|
||||
elif isinstance(obj, list):
|
||||
return [mask_data(i) for i in obj]
|
||||
else:
|
||||
return mask_password(obj)
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
security:
|
||||
- Ensure we mask sensitive data before logging Action return values
|
||||
fixes:
|
||||
- https://bugs.launchpad.net/tripleo/+bug/1850843
|
Loading…
Reference in New Issue