Skip to content

Commit c69adf6

Browse files
cyl-authcyl-auth
committed
fix API Request Parameters Logged Credential Masking in ApiServer
1 parent e90e436 commit c69adf6

File tree

1 file changed

+22
-4
lines changed

1 file changed

+22
-4
lines changed

server/src/main/java/com/cloud/api/ApiServer.java

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@
3939
import java.util.HashSet;
4040
import java.util.Iterator;
4141
import java.util.List;
42+
import java.util.Arrays;
4243
import java.util.Map;
4344
import java.util.Set;
4445
import java.util.TimeZone;
@@ -610,10 +611,27 @@ public String handleRequest(final Map params, final String responseType, final S
610611
logger.error("invalid request, no command sent");
611612
if (logger.isTraceEnabled()) {
612613
logger.trace("dumping request parameters");
613-
for (final Object key : params.keySet()) {
614-
final String keyStr = (String)key;
615-
final String[] value = (String[])params.get(key);
616-
logger.trace(" key: " + keyStr + ", value: " + ((value == null) ? "'null'" : value[0]));
614+
Set<String> sensitiveFields = new HashSet<>(Arrays.asList(
615+
"password", "secretkey", "apikey", "token",
616+
"sessionkey", "accesskey", "signature",
617+
"authorization", "credential", "secret"
618+
));
619+
620+
for (final Object key : params.keySet()) {
621+
final String keyStr = (String) key;
622+
final String[] value = (String[]) params.get(key);
623+
624+
boolean isSensitive = sensitiveFields.stream()
625+
.anyMatch(field -> keyStr.toLowerCase().contains(field));
626+
627+
String logValue;
628+
if (isSensitive) {
629+
logValue = "******"; // mask sensitive values
630+
} else {
631+
logValue = (value == null) ? "'null'" : value[0];
632+
}
633+
634+
logger.trace(" key: " + keyStr + ", value: " + logValue);
617635
}
618636
}
619637
throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, "Invalid request, no command sent");

0 commit comments

Comments
 (0)