From 90a504672071d61bdae3206c4764bd3528c165d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Herv=C3=A9=20Beraud?= Date: Wed, 9 Mar 2022 14:23:29 +0100 Subject: [PATCH] fix strutils password regex Those regexes will fix Object style representation output. See the payload used in tests for details. This kind of output can be obtained by using the command: ``` $ openstack --debug ``` Co-Authored-By: Daniel Bengtsson Change-Id: I9024be93b109d1b64ca736546c0f69db7a5e06d0 (cherry picked from commit de4429f2be5fa21d1f6e1cacbb3c8417a7c56310) (cherry picked from commit 2c1b0628771695e546b0acb1e3c44c16c0c690db) --- oslo_utils/strutils.py | 2 ++ oslo_utils/tests/test_strutils.py | 11 +++++++++++ .../notes/mask-password-pattern-c8c880098743de3e.yaml | 5 +++++ 3 files changed, 18 insertions(+) create mode 100644 releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml diff --git a/oslo_utils/strutils.py b/oslo_utils/strutils.py index e27a63d7..0bb9fc56 100644 --- a/oslo_utils/strutils.py +++ b/oslo_utils/strutils.py @@ -79,6 +79,8 @@ _SANITIZE_PATTERNS_WILDCARD = {} # have two parameters. Use different lists of patterns here. _FORMAT_PATTERNS_1 = [r'(%(key)s[0-9]*\s*[=]\s*)[^\s^\'^\"]+'] _FORMAT_PATTERNS_2 = [r'(%(key)s[0-9]*\s*[=]\s*[\"\'])[^\"\']*([\"\'])', + r'(%(key)s[0-9]*\s*[=]\s*[\"])[^\"]*([\"])', + r'(%(key)s[0-9]*\s*[=]\s*[\'])[^\']*([\'])', r'(%(key)s[0-9]*\s+[\"\'])[^\"\']*([\"\'])', r'([-]{2}%(key)s[0-9]*\s+)[^\'^\"^=^\s]+([\s]*)', r'(<%(key)s[0-9]*>)[^<]*()', diff --git a/oslo_utils/tests/test_strutils.py b/oslo_utils/tests/test_strutils.py index ef679ffb..12a09909 100644 --- a/oslo_utils/tests/test_strutils.py +++ b/oslo_utils/tests/test_strutils.py @@ -289,6 +289,17 @@ StringToBytesTest.generate_scenarios() class MaskPasswordTestCase(test_base.BaseTestCase): + def test_namespace_objects(self): + payload = """ + Namespace(passcode='', username='', password='my"password', + profile='', verify=None, token='') + """ + expected = """ + Namespace(passcode='', username='', password='***', + profile='', verify=None, token='***') + """ + self.assertEqual(expected, strutils.mask_password(payload)) + def test_sanitize_keys(self): lowered = [k.lower() for k in strutils._SANITIZE_KEYS] diff --git a/releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml b/releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml new file mode 100644 index 00000000..15b3efbf --- /dev/null +++ b/releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + This patch ensures that we mask sensitive data when masking password, even + if double quotes are used as password value.