Re: [PR] CAMEL-23273: Camel-Jbang-mcp: Sanitize sensitive data in POM content passed to migration tools [camel]

Wed, 01 Apr 2026 01:28:12 -0700 


gnodet commented on PR #22344:
URL: https://github.com/apache/camel/pull/22344#issuecomment-4168413938

   _Claude Code on behalf of Guillaume Nodet_
   
   ### Suggestion: plugin-aware sanitization instead of tag-name heuristics
   
   The current regex approach matches any XML element whose tag name contains 
keywords like "password", "token", "secret", etc. This has inherent limitations:
   
   **False positives** — non-secret values get masked:
   - `<password-policy>strict</password-policy>` — a config value, not a 
credential
   - `<token-refresh-interval>300</token-refresh-interval>` — a numeric setting
   - These masked values might be useful for the migration analysis
   
   **False negatives** — actual secrets are missed:
   - Credentials stored in elements with non-obvious names
   - `<my.credential>secret</my.credential>` — "credential" (singular) isn't in 
the keyword list
   
   A more accurate approach would be **plugin/mojo-aware**:
   
   1. **Maintain a catalog of known plugins and their sensitive configuration 
parameters:**
      ```
      maven-deploy-plugin       → [password]
      maven-jarsigner-plugin    → [storepass, keypass]
      docker-maven-plugin       → [password, authConfig/password]
      sql-maven-plugin          → [password]
      maven-scm-plugin          → [password, passphrase]
      ...
      ```
   
   2. **Parse the POM as XML**, identify each `<plugin>` by its `<artifactId>`, 
look up its sensitive config params in the catalog.
   
   3. **Trace property references**: if a sensitive param uses `${prop.name}`, 
resolve it back to `<properties>` and mask the property value there.
   
   This is more work than the current regex, but it's precise — no false 
positives on config values, no false negatives on credentials in 
non-obviously-named elements, and no need to strip entire POM sections 
(`<servers>` belongs to settings.xml not pom.xml, and 
`<distributionManagement>` contains URLs not credentials).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to