diff options
author | Hervé Beraud <hberaud@redhat.com> | 2022-03-09 14:23:29 +0100 |
---|---|---|
committer | Hervé Beraud <herveberaud.pro@gmail.com> | 2022-03-14 12:35:47 +0000 |
commit | 5c430356a660d88f1d5b16cb3f5d7d2ee89a9253 (patch) | |
tree | e26383dc2bcd8eaea72ef8d450515da29807455d | |
parent | 5e9dfa3408a6fac7e870a9b86ee774b5fd71a595 (diff) | |
download | oslo-utils-5c430356a660d88f1d5b16cb3f5d7d2ee89a9253.tar.gz |
fix strutils password regex
Those regexes will fix Object style representation output.
See the payload used in tests for details. This kind
of output can be obtained by using the command:
```
$ openstack --debug
```
Co-Authored-By: Daniel Bengtsson <dbengt@redhat.com>
Change-Id: I9024be93b109d1b64ca736546c0f69db7a5e06d0
(cherry picked from commit de4429f2be5fa21d1f6e1cacbb3c8417a7c56310)
(cherry picked from commit 2c1b0628771695e546b0acb1e3c44c16c0c690db)
(cherry picked from commit 90a504672071d61bdae3206c4764bd3528c165d6)
(cherry picked from commit a38b56a6f9438d256d6e0f9b03181015f2b27d8c)
(cherry picked from commit 1656a00d410374bb5a0e4df7e6f7b7ce3433c608)
-rw-r--r-- | oslo_utils/strutils.py | 2 | ||||
-rw-r--r-- | oslo_utils/tests/test_strutils.py | 11 | ||||
-rw-r--r-- | releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml | 5 |
3 files changed, 18 insertions, 0 deletions
diff --git a/oslo_utils/strutils.py b/oslo_utils/strutils.py index 4b75613..0ccc0ce 100644 --- a/oslo_utils/strutils.py +++ b/oslo_utils/strutils.py @@ -80,6 +80,8 @@ _SANITIZE_PATTERNS_WILDCARD = {} # have two parameters. Use different lists of patterns here. _FORMAT_PATTERNS_1 = [r'(%(key)s[0-9]*\s*[=]\s*)[^\s^\'^\"]+'] _FORMAT_PATTERNS_2 = [r'(%(key)s[0-9]*\s*[=]\s*[\"\'])[^\"\']*([\"\'])', + r'(%(key)s[0-9]*\s*[=]\s*[\"])[^\"]*([\"])', + r'(%(key)s[0-9]*\s*[=]\s*[\'])[^\']*([\'])', r'(%(key)s[0-9]*\s+[\"\'])[^\"\']*([\"\'])', r'([-]{2}%(key)s[0-9]*\s+)[^\'^\"^=^\s]+([\s]*)', r'(<%(key)s[0-9]*>)[^<]*(</%(key)s[0-9]*>)', diff --git a/oslo_utils/tests/test_strutils.py b/oslo_utils/tests/test_strutils.py index 8c7c6f6..5a4591c 100644 --- a/oslo_utils/tests/test_strutils.py +++ b/oslo_utils/tests/test_strutils.py @@ -297,6 +297,17 @@ StringToBytesTest.generate_scenarios() class MaskPasswordTestCase(test_base.BaseTestCase): + def test_namespace_objects(self): + payload = """ + Namespace(passcode='', username='', password='my"password', + profile='', verify=None, token='') + """ + expected = """ + Namespace(passcode='', username='', password='***', + profile='', verify=None, token='***') + """ + self.assertEqual(expected, strutils.mask_password(payload)) + def test_sanitize_keys(self): lowered = [k.lower() for k in strutils._SANITIZE_KEYS] diff --git a/releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml b/releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml new file mode 100644 index 0000000..15b3efb --- /dev/null +++ b/releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + This patch ensures that we mask sensitive data when masking password, even + if double quotes are used as password value. |