This is an automated email from the ASF dual-hosted git repository.
vishesh pushed a commit to branch 4.20
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.20 by this push:
new 028dd869456 fixed Password Exposure in IPMI Tool Command Execution
(#12028)
028dd869456 is described below
commit 028dd86945679cd77606afd12b3ed8035e98511e
Author: YoulongChen <[email protected]>
AuthorDate: Thu Nov 13 16:10:36 2025 +0800
fixed Password Exposure in IPMI Tool Command Execution (#12028)
---
.../org/apache/cloudstack/utils/process/ProcessRunner.java | 11 ++++++++---
.../apache/cloudstack/utils/process/ProcessRunnerTest.java | 12 ++++++++++++
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git
a/utils/src/main/java/org/apache/cloudstack/utils/process/ProcessRunner.java
b/utils/src/main/java/org/apache/cloudstack/utils/process/ProcessRunner.java
index 430fa56aa68..e2d3be05772 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/process/ProcessRunner.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/process/ProcessRunner.java
@@ -67,11 +67,13 @@ public final class ProcessRunner {
public ProcessRunner(ExecutorService executor) {
this.executor = executor;
commandLogReplacements.add(new Ternary<>("ipmitool", "-P\\s+\\S+", "-P
*****"));
+ commandLogReplacements.add(new Ternary<>("ipmitool",
"(?i)password\\s+\\S+\\s+\\S+", "password **** ****"));
}
/**
* Executes a process with provided list of commands with a max default
timeout
* of 5 minutes
+ *
* @param commands list of string commands
* @return returns process result
*/
@@ -82,6 +84,7 @@ public final class ProcessRunner {
/**
* Executes a process with provided list of commands with a given timeout
that is less
* than or equal to DEFAULT_MAX_TIMEOUT
+ *
* @param commands list of string commands
* @param timeOut timeout duration
* @return returns process result
@@ -109,14 +112,16 @@ public final class ProcessRunner {
}
});
try {
- logger.debug("Waiting for a response from command [{}].
Defined timeout: [{}].", commandLog, timeOut.getStandardSeconds());
+ logger.debug("Waiting for a response from command [{}].
Defined timeout: [{}].", commandLog,
+ timeOut.getStandardSeconds());
retVal = processFuture.get(timeOut.getStandardSeconds(),
TimeUnit.SECONDS);
} catch (ExecutionException e) {
- logger.warn("Failed to complete the requested command [{}] due
to execution error.", commands, e);
+ logger.warn("Failed to complete the requested command [{}] due
to execution error.", commandLog, e);
retVal = -2;
stdError = e.getMessage();
} catch (TimeoutException e) {
- logger.warn("Failed to complete the requested command [{}]
within timeout. Defined timeout: [{}].", commandLog,
timeOut.getStandardSeconds(), e);
+ logger.warn("Failed to complete the requested command [{}]
within timeout. Defined timeout: [{}].",
+ commandLog, timeOut.getStandardSeconds(), e);
retVal = -1;
stdError = "Operation timed out, aborted.";
} finally {
diff --git
a/utils/src/test/java/org/apache/cloudstack/utils/process/ProcessRunnerTest.java
b/utils/src/test/java/org/apache/cloudstack/utils/process/ProcessRunnerTest.java
index 6fc34ded259..0e594f2b0c9 100644
---
a/utils/src/test/java/org/apache/cloudstack/utils/process/ProcessRunnerTest.java
+++
b/utils/src/test/java/org/apache/cloudstack/utils/process/ProcessRunnerTest.java
@@ -60,4 +60,16 @@ public class ProcessRunnerTest {
Assert.assertTrue(log.contains(password));
Assert.assertEquals(1, countSubstringOccurrences(log, password));
}
+
+ @Test
+ public void testRemoveCommandSensitiveInfoForLoggingIpmiPasswordCommand() {
+ String userId = "3";
+ String newPassword = "Sup3rSecr3t!";
+ String command = String.format("/usr/bin/ipmitool user set password %s
%s", userId, newPassword);
+ String log =
processRunner.removeCommandSensitiveInfoForLogging(command);
+
+ Assert.assertFalse(log.contains(userId));
+ Assert.assertFalse(log.contains(newPassword));
+ Assert.assertTrue(log.contains("password **** ****"));
+ }
}
