[
https://issues.apache.org/jira/browse/CASSANDRA-21113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18050954#comment-18050954
]
Andrew Weaver commented on CASSANDRA-21113:
-------------------------------------------
Test results from the new test prior to the fix:
4.0:
{code:java}
java.lang.AssertionError: 12 special character(s) failed obfuscation:
- Character '$' (ASCII 36): PASSWORD LEAKED - Result: CREATE ROLE role1 WITH
PASSWORD = 'secret$password' - Character ''' (ASCII 39): PASSWORD LEAKED -
Result: CREATE ROLE role1 WITH PASSWORD = 'secret''password'
- Character '(' (ASCII 40): Exception thrown - PatternSyntaxException: Unclosed
group near index 33((?si)password.+?)secret(password
- Character ')' (ASCII 41): Exception thrown - PatternSyntaxException:
Unmatched closing ')' near index 23((?si)password.+?)secret)password
^
- Character '*' (ASCII 42): PASSWORD LEAKED - Result: CREATE ROLE role1 WITH
PASSWORD = 'secret*password'
- Character '+' (ASCII 43): PASSWORD LEAKED - Result: CREATE ROLE role1 WITH
PASSWORD = 'secret+password'
- Character '?' (ASCII 63): PASSWORD LEAKED - Result: CREATE ROLE role1 WITH
PASSWORD = 'secret?password'
- Character '[' (ASCII 91): Exception thrown - PatternSyntaxException: Unclosed
character class near index 32((?si)password.+?)secret[password
^
- Character '\' (ASCII 92): Exception thrown - PatternSyntaxException: Unknown
character property name {In/Isa} near index 26((?si)password.+?)secret\password
^
- Character '^' (ASCII 94): PASSWORD LEAKED - Result: CREATE ROLE role1 WITH
PASSWORD = 'secret^password'
- Character '{' (ASCII 123): Exception thrown - PatternSyntaxException: Illegal
repetition near index 23((?si)password.+?)secret{password
^
- Character '|' (ASCII 124): Unexpected result - Expected: CREATE ROLE role1
WITH PASSWORD = '*******', Got: CREATE ROLE role1 WITH PASSWORD =
'*******|*******' at org.junit.Assert.fail(Assert.java:88)h exit code
255 {code}
trunk:
{code:java}
[junit-timeout] Testsuite:
org.apache.cassandra.cql3.PasswordObfuscatorTest-_jdk17 Tests run: 21,
Failures: 1, Errors: 1, Skipped: 0, Time elapsed: 0.565 sec
[junit-timeout]
[junit-timeout] Testcase:
testPasswordWithRegexEndQuote(org.apache.cassandra.cql3.PasswordObfuscatorTest)-_jdk17:
Caused an ERROR
[junit-timeout] Illegal/unsupported escape sequence near index 33
[junit-timeout] ((?si)password.+?)\Qsecret\Epassword\E
[junit-timeout] ^
[junit-timeout] java.util.regex.PatternSyntaxException: Illegal/unsupported
escape sequence near index 33
[junit-timeout] ((?si)password.+?)\Qsecret\Epassword\E
[junit-timeout] ^
[junit-timeout] at
java.base/java.util.regex.Pattern.error(Pattern.java:2028)
[junit-timeout] at
java.base/java.util.regex.Pattern.escape(Pattern.java:2608)
[junit-timeout] at
java.base/java.util.regex.Pattern.atom(Pattern.java:2286)
[junit-timeout] at
java.base/java.util.regex.Pattern.sequence(Pattern.java:2210)
[junit-timeout] at
java.base/java.util.regex.Pattern.expr(Pattern.java:2069)
[junit-timeout] at
java.base/java.util.regex.Pattern.compile(Pattern.java:1783)
[junit-timeout] at
java.base/java.util.regex.Pattern.<init>(Pattern.java:1430)
[junit-timeout] at
java.base/java.util.regex.Pattern.compile(Pattern.java:1069)
[junit-timeout] at
java.base/java.lang.String.replaceAll(String.java:2944)
[junit-timeout] at
org.apache.cassandra.cql3.PasswordObfuscator.obfuscate(PasswordObfuscator.java:85)
[junit-timeout] at
org.apache.cassandra.cql3.PasswordObfuscatorTest.assertPasswordObfuscated(PasswordObfuscatorTest.java:416)
[junit-timeout] at
org.apache.cassandra.cql3.PasswordObfuscatorTest.testPasswordWithRegexEndQuote(PasswordObfuscatorTest.java:386)
[junit-timeout] at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[junit-timeout] at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
[junit-timeout] at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[junit-timeout]
[junit-timeout]
[junit-timeout] Testcase:
testAllPrintableSpecialCharactersObfuscation(org.apache.cassandra.cql3.PasswordObfuscatorTest)-_jdk17:
FAILED
[junit-timeout] 3 password(s) with special characters failed obfuscation:
[junit-timeout] - Password ''password': Unexpected result - Expected: CREATE
ROLE role1 WITH PASSWORD = '*******', Got: CREATE ROLE role1 WITH PASSWORD =
''*******'
[junit-timeout] - Password 'pass'word': PASSWORD LEAKED - Result: CREATE ROLE
role1 WITH PASSWORD = 'pass''word'
[junit-timeout] - Password 'password'': Unexpected result - Expected: CREATE
ROLE role1 WITH PASSWORD = '*******', Got: CREATE ROLE role1 WITH PASSWORD =
'*******''
[junit-timeout]
[junit-timeout] junit.framework.AssertionFailedError: 3 password(s) with
special characters failed obfuscation:
[junit-timeout] - Password ''password': Unexpected result - Expected: CREATE
ROLE role1 WITH PASSWORD = '*******', Got: CREATE ROLE role1 WITH PASSWORD =
''*******'
[junit-timeout] - Password 'pass'word': PASSWORD LEAKED - Result: CREATE ROLE
role1 WITH PASSWORD = 'pass''word'
[junit-timeout] - Password 'password'': Unexpected result - Expected: CREATE
ROLE role1 WITH PASSWORD = '*******', Got: CREATE ROLE role1 WITH PASSWORD =
'*******'' {code}
> PasswordObfuscator fails to obfuscate certain passwords
> -------------------------------------------------------
>
> Key: CASSANDRA-21113
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21113
> Project: Apache Cassandra
> Issue Type: Bug
> Reporter: Andrew Weaver
> Assignee: Andrew Weaver
> Priority: Normal
> Attachments: 4_0.patch, trunk.patch
>
>
> PasswordObfuscator fails to obfuscate passwords containing regex characters
> ($, +, ?, etc.) or the regex end-quote sequence \E.
> This leads to passwords containing these characters being logged in clear
> text in audit logs for DCL statements, or in the case of \E on trunk, a
> java.util.regex.PatternSyntaxException being thrown.
> I've attached patches for the 4.0 branch and trunk.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
