From 8642473da204f789cb50364d2808df76d84a281a Mon Sep 17 00:00:00 2001
From: Quazgar <quazgar@posteo.de>
Date: Wed, 10 Jun 2020 10:48:06 +0000
Subject: [PATCH] FIX: Shadowing sensitive properties during logging.

Actually this was already mostly implemented before, but the bug was not closed.

For issue #68.
---
 CHANGELOG.md                                     | 16 ++++++----------
 .../java/caosdb/server/ServerProperties.java     |  5 ++++-
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f66c4ca0..8ac953fc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-* `Entity/names` resource for retrieving all known entity names.
+- `Entity/names` resource for retrieving all known entity names.
 - Scripting is simplified by adding a `home` directory, of which a copy is
   created for each called script and set as the `HOME` environment variable.
 - [bend_symlinks.sh](misc/bend_symlinks/bend_symlinks.sh) (version 0.1, experimental)
@@ -36,26 +36,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
-* #27 - star matches slashes (e.g. for `FIND ... STORED AT /*.dat`).
-
-* #30 - file path cannot be in quotes
-
+- #27 - star matches slashes (e.g. for `FIND ... STORED AT /*.dat`).
+- #30 - file path cannot be in quotes
 - #46 - Server-side scripting failed as an unprivileged user because the was no
   writable home directory.
-
 - NaN Double Values (see #41)
-
 - #14 - Handle files on file system without File entity: Those entries are
   returned without ID but with a notice now.
-
-* #11 - pam_authentication leaks the password to unprivileged processes on the
+- #11 - pam_authentication leaks the password to unprivileged processes on the
   same machine.
 
 ### Security (in case of vulnerabilities)
 
 - TLS is by default restricted to v1.2 and v1.3 now.
-* #11 - pam_authentication leaks the password to unprivileged processes on the
+- #11 - pam_authentication leaks the password to unprivileged processes on the
   same machine.
+- #68 - Shadow sensitive information when logging for debugging purposes.
 
 
 ## [0.1.0] - 2018-10-09
diff --git a/src/main/java/caosdb/server/ServerProperties.java b/src/main/java/caosdb/server/ServerProperties.java
index 292d99e7..c1dd59f3 100644
--- a/src/main/java/caosdb/server/ServerProperties.java
+++ b/src/main/java/caosdb/server/ServerProperties.java
@@ -170,7 +170,10 @@ public class ServerProperties extends Properties {
       ArrayList<String> names = new ArrayList<>(serverProperties.stringPropertyNames());
       Collections.sort(names);
       for (String name : names) {
-        String val = name.contains("PASSW") ? "****" : serverProperties.getProperty(name);
+        String val =
+            (name.contains("PASSW") || name.contains("SECRET"))
+                ? "****"
+                : serverProperties.getProperty(name);
         logger.info(name + "=" + val);
       }
     }
-- 
GitLab