(cloudstack) branch 4.20 updated: fix API Request Parameters Logged Credential Masking in ApiServer (#12020)

Tue, 11 Nov 2025 23:36:31 -0800 

This is an automated email from the ASF dual-hosted git repository.

vishesh pushed a commit to branch 4.20
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/4.20 by this push:
     new 81787b310ee fix API Request Parameters Logged Credential Masking in 
ApiServer (#12020)
81787b310ee is described below

commit 81787b310eea6a8210b936e2e7a880144c7c4902
Author: YoulongChen <[email protected]>
AuthorDate: Wed Nov 12 15:36:19 2025 +0800

    fix API Request Parameters Logged Credential Masking in ApiServer (#12020)
---
 server/src/main/java/com/cloud/api/ApiServer.java | 28 +++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/server/src/main/java/com/cloud/api/ApiServer.java 
b/server/src/main/java/com/cloud/api/ApiServer.java
index 5e962cdb382..85d58ec0d53 100644
--- a/server/src/main/java/com/cloud/api/ApiServer.java
+++ b/server/src/main/java/com/cloud/api/ApiServer.java
@@ -39,6 +39,7 @@ import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Arrays;
 import java.util.Map;
 import java.util.Set;
 import java.util.TimeZone;
@@ -244,6 +245,12 @@ public class ApiServer extends ManagerBase implements 
HttpRequestHandler, ApiSer
     @Inject
     private MessageBus messageBus;
 
+    private static final Set<String> sensitiveFields = new 
HashSet<>(Arrays.asList(
+        "password", "secretkey", "apikey", "token",
+        "sessionkey", "accesskey", "signature",
+        "authorization", "credential", "secret"
+    ));
+
     private static final ConfigKey<Integer> IntegrationAPIPort = new 
ConfigKey<>(ConfigKey.CATEGORY_ADVANCED
             , Integer.class
             , "integration.api.port"
@@ -610,10 +617,23 @@ public class ApiServer extends ManagerBase implements 
HttpRequestHandler, ApiSer
                 logger.error("invalid request, no command sent");
                 if (logger.isTraceEnabled()) {
                     logger.trace("dumping request parameters");
-                    for (final  Object key : params.keySet()) {
-                        final String keyStr = (String)key;
-                        final String[] value = (String[])params.get(key);
-                        logger.trace("   key: " + keyStr + ", value: " + 
((value == null) ? "'null'" : value[0]));
+
+                    for (final Object key : params.keySet()) {
+                        final String keyStr = (String) key;
+                        final String[] value = (String[]) params.get(key);
+
+                        String lowerKeyStr = keyStr.toLowerCase();
+                        boolean isSensitive = sensitiveFields.stream()
+                            .anyMatch(lowerKeyStr::contains);
+
+                        String logValue;
+                        if (isSensitive) {
+                            logValue = "******"; // mask sensitive values
+                        } else {
+                            logValue = (value == null) ? "'null'" : value[0];
+                        }
+
+                        logger.trace("   key: " + keyStr + ", value: " + 
logValue);
                     }
                 }
                 throw new 
ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, "Invalid request, no 
command sent");

Reply via email to