Skip to content

Commit

Permalink
Filter out Basic Authorization tokens
Browse files Browse the repository at this point in the history 
We filter out Bearer / SharedKey tokens from the log output but Basic
authorization tokens were not being filtered out.

CVE-2023-46175
  • Loading branch information
@agrare
agrare committed Nov 17, 2023
1 parent 0c52733 commit e8cb103
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 16 deletions.
1 change: 1 addition & 0 deletions lib/vmdb/loggers/provider_sdk_logger.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ def <<(msg)
class Formatter < ManageIQ::Loggers::Base::Formatter
def call(severity, datetime, progname, msg)
msg = msg.sub(/Bearer(.*?)\"/, 'Bearer [FILTERED] "')
msg = msg.sub(/Basic(.*?)\"/, 'Basic [FILTERED] "')
msg = msg.sub(/SharedKey(.*?)\"/, 'SharedKey [FILTERED] "')
msg = msg.sub(/client_secret=(.*?)&/, "client_secret=[FILTERED]&")
msg = msg.sub(/apikey=(.*?)\"/, 'apikey=[FILTERED]"')
Expand Down
36 changes: 20 additions & 16 deletions spec/lib/vmdb/loggers/provider_sdk_logger_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,27 @@
@log = described_class.new(@log_stream)
end

context "azure" do
it "filters out bearer tokens" do
@log.log(@log.level, 'Bearer abcd1234 "stuff"')
@log_stream.rewind
expect(@log_stream.read).to match(Regexp.quote('Bearer [FILTERED] "stuff"'))
end
it "filters out bearer tokens" do
@log.log(@log.level, 'Bearer abcd1234 "stuff"')
@log_stream.rewind
expect(@log_stream.read).to match(Regexp.quote('Bearer [FILTERED] "stuff"'))
end

it "filters out basic tokens" do
@log.log(@log.level, 'Authorization: "Basic abcd1234"')
@log_stream.rewind
expect(@log_stream.read).to match(Regexp.quote('Authorization: "Basic [FILTERED] "'))
end

it "filters out sharedkey tokens" do
@log.log(@log.level, 'SharedKey xxx123 "stuff"')
@log_stream.rewind
expect(@log_stream.read).to match(Regexp.quote('SharedKey [FILTERED] "stuff"'))
end
it "filters out sharedkey tokens" do
@log.log(@log.level, 'SharedKey xxx123 "stuff"')
@log_stream.rewind
expect(@log_stream.read).to match(Regexp.quote('SharedKey [FILTERED] "stuff"'))
end

it "filters out client secret tokens" do
@log.log(@log.level, 'client_secret=abc123&management=yadayada')
@log_stream.rewind
expect(@log_stream.read).to match(Regexp.quote('client_secret=[FILTERED]&management=yadayada'))
end
it "filters out client secret tokens" do
@log.log(@log.level, 'client_secret=abc123&management=yadayada')
@log_stream.rewind
expect(@log_stream.read).to match(Regexp.quote('client_secret=[FILTERED]&management=yadayada'))
end
end

0 comments on commit e8cb103

Please sign in to comment.