Merge pull request #206 from allthedrones/master

mythz · mythz · commit 947576320014 · 2014-11-14T16:38:18.000-05:00
Exclude password from exception and debug messages.
diff --git a/src/ServiceStack.Redis/RedisNativeClient_Utils.cs b/src/ServiceStack.Redis/RedisNativeClient_Utils.cs
@@ -270,9 +270,11 @@ private bool HandleSocketException(SocketException ex)
         private RedisResponseException CreateResponseError(string error)
         {
             HadExceptions = true;
+            string safeLastCommand = (Password == null) ? lastCommand : lastCommand.Replace(Password, "");
+
             var throwEx = new RedisResponseException(
                 string.Format("{0}, sPort: {1}, LastCommand: {2}",
-                    error, clientPort, lastCommand));
+                    error, clientPort, safeLastCommand));
             log.Error(throwEx.Message);
             throw throwEx;
         }
@@ -586,10 +588,13 @@ protected void CmdLog(byte[][] args)
             var sb = new StringBuilder();
             foreach (var arg in args)
             {
+                var strArg = arg.FromUtf8Bytes();
+                if (strArg == Password) continue;
+
                 if (sb.Length > 0)
                     sb.Append(" ");
-
-                sb.Append(arg.FromUtf8Bytes());
+                
+                sb.Append(strArg);
 
                 if (sb.Length > 100)
                     break;
@@ -599,7 +604,7 @@ protected void CmdLog(byte[][] args)
             {
                 this.lastCommand = this.lastCommand.Substring(0, 100) + "...";
             }
-
+            
             log.Debug("S: " + this.lastCommand);
         }
 
diff --git a/tests/ServiceStack.Redis.Tests/RedisPasswordTests.cs b/tests/ServiceStack.Redis.Tests/RedisPasswordTests.cs
@@ -2,10 +2,11 @@
 
 namespace ServiceStack.Redis.Tests
 {
-    [Explicit("Integration")]
     [TestFixture]
     public class RedisPasswordTests
     {
+
+        [Explicit("Integration")]
         [Test]
         public void Can_connect_to_Slaves_and_Masters_with_Password()
         {
@@ -22,5 +23,25 @@ public void Can_connect_to_Slaves_and_Masters_with_Password()
                 Assert.That(value, Is.EqualTo("Bar"));
             }
         }
+
+        [Test]
+        [ExpectedException(typeof(ServiceStack.Redis.RedisResponseException), UserMessage = "Expected an exception after Redis AUTH command; try using a password that doesn't match.")]
+        public void Passwords_are_not_leaked_in_exception_messages()
+        {
+            const string password = "yesterdayspassword";
+            try
+            {
+                var factory = new PooledRedisClientManager(password + "@" + TestConfig.SingleHost); // redis will throw when using password and it's not configured
+                using (var redis = factory.GetClient())
+                {
+                    redis.SetEntry("Foo", "Bar");
+                }
+            }
+            catch (RedisResponseException ex)
+            {
+                Assert.That(ex.Message, Is.Not.StringContaining(password));
+                throw;
+            }
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -270,9 +270,11 @@ private bool HandleSocketException(SocketException ex)`
`270`	`270`	`private RedisResponseException CreateResponseError(string error)`
`271`	`271`	`{`
`272`	`272`	`HadExceptions = true;`
	`273`	`+ string safeLastCommand = (Password == null) ? lastCommand : lastCommand.Replace(Password, "");`
	`274`	`+`
`273`	`275`	`var throwEx = new RedisResponseException(`
`274`	`276`	`string.Format("{0}, sPort: {1}, LastCommand: {2}",`
`275`		`- error, clientPort, lastCommand));`
	`277`	`+ error, clientPort, safeLastCommand));`
`276`	`278`	`log.Error(throwEx.Message);`
`277`	`279`	`throw throwEx;`
`278`	`280`	`}`
`@@ -586,10 +588,13 @@ protected void CmdLog(byte[][] args)`
`586`	`588`	`var sb = new StringBuilder();`
`587`	`589`	`foreach (var arg in args)`
`588`	`590`	`{`
	`591`	`+ var strArg = arg.FromUtf8Bytes();`
	`592`	`+ if (strArg == Password) continue;`
	`593`	`+`
`589`	`594`	`if (sb.Length > 0)`
`590`	`595`	`sb.Append(" ");`
`591`		`-`
`592`		`- sb.Append(arg.FromUtf8Bytes());`
	`596`	`+`
	`597`	`+ sb.Append(strArg);`
`593`	`598`
`594`	`599`	`if (sb.Length > 100)`
`595`	`600`	`break;`
`@@ -599,7 +604,7 @@ protected void CmdLog(byte[][] args)`
`599`	`604`	`{`
`600`	`605`	`this.lastCommand = this.lastCommand.Substring(0, 100) + "...";`
`601`	`606`	`}`
`602`		`-`
	`607`	`+`
`603`	`608`	`log.Debug("S: " + this.lastCommand);`
`604`	`609`	`}`
`605`	`610`
Original file line number	Diff line number	Diff line change
`@@ -2,10 +2,11 @@`
`2`	`2`
`3`	`3`	`namespace ServiceStack.Redis.Tests`
`4`	`4`	`{`
`5`		`- [Explicit("Integration")]`
`6`	`5`	`[TestFixture]`
`7`	`6`	`public class RedisPasswordTests`
`8`	`7`	`{`
	`8`	`+`
	`9`	`+ [Explicit("Integration")]`
`9`	`10`	`[Test]`
`10`	`11`	`public void Can_connect_to_Slaves_and_Masters_with_Password()`
`11`	`12`	`{`
`@@ -22,5 +23,25 @@ public void Can_connect_to_Slaves_and_Masters_with_Password()`
`22`	`23`	`Assert.That(value, Is.EqualTo("Bar"));`
`23`	`24`	`}`
`24`	`25`	`}`
	`26`	`+`
	`27`	`+ [Test]`
	`28`	`+ [ExpectedException(typeof(ServiceStack.Redis.RedisResponseException), UserMessage = "Expected an exception after Redis AUTH command; try using a password that doesn't match.")]`
	`29`	`+ public void Passwords_are_not_leaked_in_exception_messages()`
	`30`	`+ {`
	`31`	`+ const string password = "yesterdayspassword";`
	`32`	`+ try`
	`33`	`+ {`
	`34`	`+ var factory = new PooledRedisClientManager(password + "@" + TestConfig.SingleHost); // redis will throw when using password and it's not configured`
	`35`	`+ using (var redis = factory.GetClient())`
	`36`	`+ {`
	`37`	`+ redis.SetEntry("Foo", "Bar");`
	`38`	`+ }`
	`39`	`+ }`
	`40`	`+ catch (RedisResponseException ex)`
	`41`	`+ {`
	`42`	`+ Assert.That(ex.Message, Is.Not.StringContaining(password));`
	`43`	`+ throw;`
	`44`	`+ }`
	`45`	`+ }`
`25`	`46`	`}`
`26`	`47`	`}`