Skip to content

Commit

Permalink
Use a case-insensitive search when redacting sensitive patterns in logs
Browse files Browse the repository at this point in the history
  • Loading branch information
@timrogers
timrogers committed Nov 28, 2023
1 parent ec528ae commit 31c5bdc
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 37 deletions.
1 change: 1 addition & 0 deletions RELEASENOTES.md
View file
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
- Redact `X-Amz-Credential` querystring parameters in AWS S3 URLs included in logs
- When redacting sensitive patterns in log output, use a non-case sensitive search
2 changes: 1 addition & 1 deletion src/Octoshift/Services/OctoLogger.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ private string Redact(string msg)

foreach (var redactionPattern in _redactionPatterns)
{
result = Regex.Replace(result, redactionPattern, "***");
result = Regex.Replace(result, redactionPattern, "***", RegexOptions.IgnoreCase);
}

return result;
Expand Down
89 changes: 53 additions & 36 deletions src/OctoshiftCLI.Tests/Octoshift/Services/OctoLoggerTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,51 +63,68 @@ public void Secrets_Should_Be_Masked_From_Logs_And_Console()
[Fact]
public void Ghes_Archive_Url_Tokens_Should_Be_Replaced_In_Logs_And_Console()
{

var ghesArchiveUrl = "https://files.github.acmeinc.com/foo?token=foobar";

_octoLogger.Verbose = false;
_octoLogger.LogInformation($"Archive URL: {ghesArchiveUrl}");
_octoLogger.LogVerbose($"Archive URL: {ghesArchiveUrl}");
_octoLogger.LogWarning($"Archive URL: {ghesArchiveUrl}");
_octoLogger.LogSuccess($"Archive URL: {ghesArchiveUrl}");
_octoLogger.LogError($"Archive URL: {ghesArchiveUrl}");
_octoLogger.LogError(new OctoshiftCliException($"Archive URL: {ghesArchiveUrl}"));
_octoLogger.LogError(new InvalidOperationException($"Archive URL: {ghesArchiveUrl}"));

_octoLogger.Verbose = true;
_octoLogger.LogVerbose($"Archive URL: {ghesArchiveUrl}");

_consoleOutput.Should().NotContain(ghesArchiveUrl);
_logOutput.Should().NotContain(ghesArchiveUrl);
_verboseLogOutput.Should().NotContain(ghesArchiveUrl);
_consoleError.Should().NotContain(ghesArchiveUrl);
var variants = new[]
{
ghesArchiveUrl,
ghesArchiveUrl.ToUpper(),
ghesArchiveUrl.ToLower()
};

foreach (var variant in variants)
{
_octoLogger.Verbose = false;
_octoLogger.LogInformation($"Archive URL: {variant}");
_octoLogger.LogVerbose($"Archive URL: {variant}");
_octoLogger.LogWarning($"Archive URL: {variant}");
_octoLogger.LogSuccess($"Archive URL: {variant}");
_octoLogger.LogError($"Archive URL: {variant}");
_octoLogger.LogError(new OctoshiftCliException($"Archive URL: {variant}"));
_octoLogger.LogError(new InvalidOperationException($"Archive URL: {variant}"));

_octoLogger.Verbose = true;
_octoLogger.LogVerbose($"Archive URL: {variant}");

_consoleOutput.Should().NotContain(variant);
_logOutput.Should().NotContain(variant);
_verboseLogOutput.Should().NotContain(variant);
_consoleError.Should().NotContain(variant);
}

_consoleOutput.Should().Contain("Archive URL: https://files.github.acmeinc.com/foo?token=***");
}

[Fact]
public void Aws_Url_X_Aws_Credential_Parameters_Should_Be_Replaced_In_Logs_And_Console()
{

var awsUrl = "https://example-s3-bucket-name.s3.amazonaws.com/uuid-uuid-uuid.tar.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AAAAAAAAAAAAAAAAAAAAAAA&X-Amz-Date=20231025T104425Z&X-Amz-Expires=172800&X-Amz-Signature=AAAAAAAAAAAAAAAAAAAAAAA&X-Amz-SignedHeaders=host&actor_id=1&key_id=0&repo_id=0&response-content-disposition=filename%3Duuid-uuid-uuid.tar.gz&response-content-type=application%2Fx-gzip";

_octoLogger.Verbose = false;
_octoLogger.LogInformation($"Archive (metadata) download url: {awsUrl}");
_octoLogger.LogVerbose($"Archive (metadata) download url: {awsUrl}");
_octoLogger.LogWarning($"Archive (metadata) download url: {awsUrl}");
_octoLogger.LogSuccess($"Archive (metadata) download url: {awsUrl}");
_octoLogger.LogError($"Archive (metadata) download url: {awsUrl}");
_octoLogger.LogError(new OctoshiftCliException($"Archive (metadata) download url: {awsUrl}"));
_octoLogger.LogError(new InvalidOperationException($"Archive (metadata) download url: {awsUrl}"));

_octoLogger.Verbose = true;
_octoLogger.LogVerbose($"Archive (metadata) download url: {awsUrl}");

_consoleOutput.Should().NotContain(awsUrl);
_logOutput.Should().NotContain(awsUrl);
_verboseLogOutput.Should().NotContain(awsUrl);
_consoleError.Should().NotContain(awsUrl);
var variants = new[]
{
awsUrl,
awsUrl.ToUpper(),
awsUrl.ToLower()
};

foreach (var variant in variants)
{
_octoLogger.Verbose = false;
_octoLogger.LogInformation($"Archive (metadata) download url: {variant}");
_octoLogger.LogVerbose($"Archive (metadata) download url: {variant}");
_octoLogger.LogWarning($"Archive (metadata) download url: {variant}");
_octoLogger.LogSuccess($"Archive (metadata) download url: {variant}");
_octoLogger.LogError($"Archive (metadata) download url: {variant}");
_octoLogger.LogError(new OctoshiftCliException($"Archive (metadata) download url: {variant}"));
_octoLogger.LogError(new InvalidOperationException($"Archive (metadata) download url: {variant}"));
_octoLogger.LogInformation($"Archive (metadata) download url: {variant.ToLower()}");

_octoLogger.Verbose = true;
_octoLogger.LogVerbose($"Archive (metadata) download url: {variant}");

_consoleOutput.Should().NotContain(variant);
_logOutput.Should().NotContain(variant);
_verboseLogOutput.Should().NotContain(variant);
_consoleError.Should().NotContain(variant);
}

_consoleOutput.Should().Contain("https://example-s3-bucket-name.s3.amazonaws.com/uuid-uuid-uuid.tar.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=***&X-Amz-Date=20231025T104425Z&X-Amz-Expires=172800&X-Amz-Signature=AAAAAAAAAAAAAAAAAAAAAAA&X-Amz-SignedHeaders=host&actor_id=1&key_id=0&repo_id=0&response-content-disposition=filename%3Duuid-uuid-uuid.tar.gz&response-content-type=application%2Fx-gzip");
}
Expand Down

0 comments on commit 31c5bdc

Please sign in to comment.