Skip to content

Commit bb746a5

Browse files
yuryybkgithub-actions[bot]
yuryybk
authored and
github-actions[bot]
committed
NAVAND-5786 Obfuscate token for shields logs (#9719)
* NAVAND-5786 Obfuscate token for shields logs GitOrigin-RevId: d2a225e5595be543001a14daf0092f64f760ddf2
1 parent fde2cc3 commit bb746a5

File tree

4 files changed

+106
-3
lines changed

4 files changed

+106
-3
lines changed

tripdata/build.gradle

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@ dependencies {
4545
implementation dependenciesList.androidXAppCompat
4646
implementation dependenciesList.kotlinStdLib
4747
implementation dependenciesList.coroutinesAndroid
48+
implementation(project(':utils'))
4849

4950
apply from: "../gradle/unit-testing-dependencies.gradle"
5051
testImplementation(project(':libtesting-utils'))

tripdata/src/main/java/com/mapbox/navigation/tripdata/shield/model/RouteShield.kt

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import android.util.TypedValue
66
import com.mapbox.api.directions.v5.models.MapboxShield
77
import com.mapbox.api.directions.v5.models.ShieldSprite
88
import com.mapbox.navigation.ui.utils.internal.SvgUtil
9+
import com.mapbox.navigation.utils.internal.obfuscateAccessToken
910
import java.io.ByteArrayInputStream
1011

1112
/**
@@ -74,9 +75,9 @@ sealed class RouteShield(
7475
*/
7576
override fun toString(): String {
7677
return "MapboxLegacyShield(" +
77-
"url='$url', " +
78+
"url='${url.obfuscateAccessToken()}', " +
7879
"byteArray=${byteArray.contentToString()}, " +
79-
"initialUrl=$initialUrl" +
80+
"initialUrl=${initialUrl.obfuscateAccessToken()}" +
8081
")"
8182
}
8283

@@ -155,7 +156,7 @@ sealed class RouteShield(
155156
*/
156157
override fun toString(): String {
157158
return "MapboxDesignedShield(" +
158-
"url='$url', " +
159+
"url='${url.obfuscateAccessToken()}', " +
159160
"byteArray=${byteArray.contentToString()}, " +
160161
"mapboxShield=$mapboxShield, " +
161162
"shieldSprite=$shieldSprite" +

utils/src/main/java/com/mapbox/navigation/utils/internal/ObfuscateTokenUtil.kt

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
package com.mapbox.navigation.utils.internal
2+
3+
private val ACCESS_TOKEN_REGEX = "access_token=([^\\s\\n&?]+)".toRegex()
4+
5+
fun String.obfuscateAccessToken() = ACCESS_TOKEN_REGEX.replace(this) { matchResult ->
6+
val token = matchResult.groupValues[1]
7+
val redactedToken = "****" + token.takeLast(4)
8+
"access_token=$redactedToken"
9+
}

utils/src/test/java/com/mapbox/navigation/utils/internal/ObfuscateTokenUtilTest.kt

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
package com.mapbox.navigation.utils.internal
2+
3+
import org.junit.Assert.assertEquals
4+
import org.junit.Test
5+
6+
class ObfuscateTokenUtilTest {
7+
8+
@Test
9+
fun `obfuscateAccessToken should redact the token in a simple url`() {
10+
val url = "https://api.mapbox.com/directions/v5/mapbox/driving/" +
11+
"-73.989,40.733;-74,40.733?access_token=pk.1234567890"
12+
val expected = "https://api.mapbox.com/directions/v5/mapbox/driving/" +
13+
"-73.989,40.733;-74,40.733?access_token=****7890"
14+
assertEquals(expected, url.obfuscateAccessToken())
15+
}
16+
17+
@Test
18+
fun `obfuscateAccessToken should work when token is the only parameter`() {
19+
val url = "https://api.mapbox.com?access_token=pk.1234567890"
20+
val expected = "https://api.mapbox.com?access_token=****7890"
21+
assertEquals(expected, url.obfuscateAccessToken())
22+
}
23+
24+
@Test
25+
fun `obfuscateAccessToken should work with other query parameters`() {
26+
val url = "https://api.mapbox.com/directions/v5/mapbox/driving?" +
27+
"geometries=polyline&access_token=pk.1234567890&voice_instructions=true"
28+
val expected = "https://api.mapbox.com/directions/v5/mapbox/driving?" +
29+
"geometries=polyline&access_token=****7890&voice_instructions=true"
30+
assertEquals(expected, url.obfuscateAccessToken())
31+
}
32+
33+
@Test
34+
fun `obfuscateAccessToken should not change string without access token`() {
35+
val url = "https://api.mapbox.com/directions/v5/mapbox/driving"
36+
assertEquals(url, url.obfuscateAccessToken())
37+
}
38+
39+
@Test
40+
fun `obfuscateAccessToken should handle empty access token`() {
41+
val url = "https://api.mapbox.com/directions/v5/mapbox/driving?access_token="
42+
assertEquals(url, url.obfuscateAccessToken())
43+
}
44+
45+
@Test
46+
fun `obfuscateAccessToken should handle multiple access tokens`() {
47+
val url = "https://api.mapbox.com?access_token=pk.first&param=1&access_token=pk.second"
48+
val expected = "https://api.mapbox.com?access_token=****irst&param=1&access_token=****cond"
49+
assertEquals(expected, url.obfuscateAccessToken())
50+
}
51+
52+
@Test
53+
fun `obfuscateAccessToken should handle empty string`() {
54+
val url = ""
55+
assertEquals(url, url.obfuscateAccessToken())
56+
}
57+
58+
@Test
59+
fun `obfuscateAccessToken should handle token shorter than 4 chars`() {
60+
val url = "https://api.mapbox.com?access_token=123"
61+
val expected = "https://api.mapbox.com?access_token=****123"
62+
assertEquals(expected, url.obfuscateAccessToken())
63+
}
64+
65+
@Test
66+
fun `obfuscateAccessToken should handle token with exactly 4 chars`() {
67+
val url = "https://api.mapbox.com?access_token=1234"
68+
val expected = "https://api.mapbox.com?access_token=****1234"
69+
assertEquals(expected, url.obfuscateAccessToken())
70+
}
71+
72+
@Test
73+
fun `obfuscateAccessToken should handle token with more than 4 chars`() {
74+
val url = "https://api.mapbox.com?access_token=12345"
75+
val expected = "https://api.mapbox.com?access_token=****2345"
76+
assertEquals(expected, url.obfuscateAccessToken())
77+
}
78+
79+
@Test
80+
fun `obfuscateAccessToken should handle token ending with newline`() {
81+
val url = "https://api.mapbox.com?access_token=pk.1234567890\n"
82+
val expected = "https://api.mapbox.com?access_token=****7890\n"
83+
assertEquals(expected, url.obfuscateAccessToken())
84+
}
85+
86+
@Test
87+
fun `obfuscateAccessToken should handle token followed by ampersand`() {
88+
val url = "https://api.mapbox.com?access_token=pk.1234567890&other=param"
89+
val expected = "https://api.mapbox.com?access_token=****7890&other=param"
90+
assertEquals(expected, url.obfuscateAccessToken())
91+
}
92+
}

0 commit comments

Comments
 (0)