FIX: Shadowing sensitive properties during logging.

Actually this was already mostly implemented before, but the bug was not closed. For issue #68.

FIX: Shadowing sensitive properties during logging.
8642473d · Quazgar · Timm Fitschen · 06f90afe · 8642473d · 8642473d
Commit 8642473d authored 4 years ago by Quazgar Committed by Timm Fitschen 4 years ago
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ### Added

-* `Entity/names` resource for retrieving all known entity names.
+- `Entity/names` resource for retrieving all known entity names.
 - Scripting is simplified by adding a `home` directory, of which a copy is
  created for each called script and set as the `HOME` environment variable.
 - [bend_symlinks.sh](misc/bend_symlinks/bend_symlinks.sh) (version 0.1, experimental)
@@ -36,26 +36,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ### Fixed

-* #27 - star matches slashes (e.g. for `FIND ... STORED AT /*.dat`).
-
-* #30 - file path cannot be in quotes
-
+- #27 - star matches slashes (e.g. for `FIND ... STORED AT /*.dat`).
+- #30 - file path cannot be in quotes
 - #46 - Server-side scripting failed as an unprivileged user because the was no
  writable home directory.
-
 - NaN Double Values (see #41)
-
 - #14 - Handle files on file system without File entity: Those entries are
  returned without ID but with a notice now.
-
-* #11 - pam_authentication leaks the password to unprivileged processes on the
+- #11 - pam_authentication leaks the password to unprivileged processes on the
  same machine.

 ### Security (in case of vulnerabilities)

 - TLS is by default restricted to v1.2 and v1.3 now.
-* #11 - pam_authentication leaks the password to unprivileged processes on the
+- #11 - pam_authentication leaks the password to unprivileged processes on the
  same machine.
+- #68 - Shadow sensitive information when logging for debugging purposes.


 ## [0.1.0] - 2018-10-09

--- a/src/main/java/caosdb/server/ServerProperties.java
+++ b/src/main/java/caosdb/server/ServerProperties.java
@@ -170,7 +170,10 @@ public class ServerProperties extends Properties {
      ArrayList<String> names = new ArrayList<>(serverProperties.stringPropertyNames());
      Collections.sort(names);
      for (String name : names) {
-        String val = name.contains("PASSW") ? "****" : serverProperties.getProperty(name);
+        String val =
+            (name.contains("PASSW") || name.contains("SECRET"))
+                ? "****"
+                : serverProperties.getProperty(name);
        logger.info(name + "=" + val);
      }
    }