Re: [PR] fix API Request Parameters Logged Credential Masking in ApiServer [cloudstack]

Tue, 11 Nov 2025 00:58:19 -0800 


Copilot commented on code in PR #12020:
URL: https://github.com/apache/cloudstack/pull/12020#discussion_r2513379792


##########
server/src/main/java/com/cloud/api/ApiServer.java:
##########
@@ -610,10 +611,27 @@ public String handleRequest(final Map params, final 
String responseType, final S
                 logger.error("invalid request, no command sent");
                 if (logger.isTraceEnabled()) {
                     logger.trace("dumping request parameters");
-                    for (final  Object key : params.keySet()) {
-                        final String keyStr = (String)key;
-                        final String[] value = (String[])params.get(key);
-                        logger.trace("   key: " + keyStr + ", value: " + 
((value == null) ? "'null'" : value[0]));
+                    Set<String> sensitiveFields = new HashSet<>(Arrays.asList(
+                        "password", "secretkey", "apikey", "token",
+                        "sessionkey", "accesskey", "signature",
+                        "authorization", "credential", "secret"
+                    ));
+
+                    for (final Object key : params.keySet()) {
+                        final String keyStr = (String) key;
+                        final String[] value = (String[]) params.get(key);
+
+                        boolean isSensitive = sensitiveFields.stream()
+                            .anyMatch(field -> 
keyStr.toLowerCase().contains(field));

Review Comment:
   The `keyStr.toLowerCase()` is called on every iteration of the loop. This 
can be optimized by calling it once before the stream operation: `String 
lowerKeyStr = keyStr.toLowerCase(); boolean isSensitive = 
sensitiveFields.stream().anyMatch(lowerKeyStr::contains);`
   ```suggestion
                           String lowerKeyStr = keyStr.toLowerCase();
                           boolean isSensitive = sensitiveFields.stream()
                               .anyMatch(lowerKeyStr::contains);
   ```



##########
server/src/main/java/com/cloud/api/ApiServer.java:
##########
@@ -610,10 +611,27 @@ public String handleRequest(final Map params, final 
String responseType, final S
                 logger.error("invalid request, no command sent");
                 if (logger.isTraceEnabled()) {
                     logger.trace("dumping request parameters");
-                    for (final  Object key : params.keySet()) {
-                        final String keyStr = (String)key;
-                        final String[] value = (String[])params.get(key);
-                        logger.trace("   key: " + keyStr + ", value: " + 
((value == null) ? "'null'" : value[0]));
+                    Set<String> sensitiveFields = new HashSet<>(Arrays.asList(
+                        "password", "secretkey", "apikey", "token",
+                        "sessionkey", "accesskey", "signature",
+                        "authorization", "credential", "secret"
+                    ));

Review Comment:
   The `sensitiveFields` Set is created on every invalid request within the 
trace logging block. Since this is a constant set, it should be defined as a 
static final class field to avoid unnecessary object creation and improve 
performance.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to