Merge pull request #466 from ammachado/CSB-3783

[OPENJDK-2833] Possible fix for OpenJDK image should scrub passwords from logs

Author: jmtd

modules/run/artifacts/opt/jboss/container/java/run/run-java.sh

@@ -202,6 +202,27 @@ get_classpath() {
   echo "${cp_path}"
 }
 
+# Mask secrets before printing
+mask_passwords() {
+    local content="$1"
+    local result=""
+
+    IFS=' ' read -r -a key_value_pairs <<< "$content"
+
+    for pair in "${key_value_pairs[@]}"; do
+        key=$(echo "$pair" | cut -d '=' -f 1)
+        value=$(echo "$pair" | cut -d '=' -f 2-)
+
+        if [[ $key =~ [Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd] ]]; then
+            result+="$key=***** "
+        else
+            result+="$pair "
+        fi
+    done
+
+    echo "${result% }"
+}
+
 # Start JVM
 startup() {
   # Initialize environment
@@ -215,9 +236,11 @@ startup() {
      args="-jar ${JAVA_APP_JAR}"
   fi
 
-  procname="${JAVA_APP_NAME-java}"
+  local procname="${JAVA_APP_NAME-java}"
+
+  local masked_opts=$(mask_passwords "$(get_java_options)")
 
-  log_info "exec -a \"${procname}\" java $(get_java_options) -cp \"$(get_classpath)\" ${args} $*"
+  log_info "exec -a \"${procname}\" java ${masked_opts} -cp \"$(get_classpath)\" ${args} $*"
   log_info "running in $PWD"
   exec -a "${procname}" java $(get_java_options) -cp "$(get_classpath)" ${args} $*
 }

modules/run/tests/features/run.feature

@@ -0,0 +1,8 @@
+@ubi9
+Feature: OpenJDK run script tests
+  Scenario: Ensure command-line options containing 'password' are masked in logs
+    Given container is started with env
+      | variable         | value                                              |
+      | JAVA_OPTS_APPEND | -Djavax.net.ssl.trustStorePassword=sensitiveString |
+    Then container log should not contain sensitiveString
+