Re: [I] [Improvement] [log] If the password is passed as a parameter in the task log, the password will still be in clear text [dolphinscheduler]

Wed, 02 Jul 2025 01:47:15 -0700 


delei commented on issue #16698:
URL: 
https://github.com/apache/dolphinscheduler/issues/16698#issuecomment-3026920660

   Hi, @SbloodyS .I encountered the same problem,please refer to this and see 
if it is helpful to you.
   
   ## Version
   3.2.0
   
   ## Solution
   I achieved this by customizing the source code.
   
   - add a new pattern to `SensitiveDataConverter`
   
   ```java
   private static final Pattern VAR_POOL_PATTERN =
               
Pattern.compile("(?s)(\\{[^}]*(\"|\\\\\")prop(\"|\\\\\")\\s*:\\s*(\"|\\\\\")[^(\"|\\\\\")]*(?i:password)[^(\"|\\\\\")]*(\"|\\\\\")[^}]*(\"|\\\\\")value(\"|\\\\\")\\s*:\\s*(\"|\\\\\"))([^(\"|\\\\\")]*)((\"|\\\\\")[^}]*)");
   ```
   
   
   
   - modify the logic of method `maskSensitiveData()`,use this new pattern for 
matching and filtering.replace with `******`
   
   ```java
   public static String maskSensitiveData(final String logMsg) {
       // ... original code
       return replaceVarPoolSensitiveData(sb.toString());
   }
   
   public static String replaceVarPoolSensitiveData(String jsonString) {
       Matcher matcher = VAR_POOL_PATTERN.matcher(jsonString);
       return matcher.replaceAll("$1******$3");
   }
   ```
   
   ## Example
   The content in the log:
   
   ### prepareParamsMap
   
   ```json
   "prepareParamsMap" : {
     "DB_PASSWORD" : {
       "prop" : "DB_PASSWORD",
       "direct" : "IN",
       "type" : "VARCHAR",
       "value" : "******"
      },
     "password" : {
       "prop" : "password",
       "direct" : "IN",
       "type" : "VARCHAR",
       "value" : "******"
      },
     "system.project.code" : {
       "prop" : "system.project.code",
       "direct" : "IN",
       "type" : "VARCHAR",
       "value" : "11455319998912"
     }
   }
   ```
   ### varPool
   
   ```json
   "varPool" : 
"[{\"prop\":\"DB_PASSWORD\",\"direct\":\"IN\",\"type\":\"VARCHAR\",\"value\":\"******\"},{\"prop\":\"password\",\"direct\":\"IN\",\"type\":\"VARCHAR\",\"value\":\"******\"},{\"prop\":\"DB_USER\",\"direct\":\"IN\",\"type\":\"VARCHAR\",\"value\":\"test_user\"}]",
   
   ```
   
   ### Set taskVarPool
   
   ```shell
   [INFO] 2025-07-02 15:44:46.152 +0800 - Set taskVarPool: 
[{"prop":"DB_PASSWORD","direct":"IN","type":"VARCHAR","value":"******"},{"prop":"password","direct":"IN","type":"VARCHAR","value":"******"},{"prop":"DB_USER","direct":"IN","type":"VARCHAR","value":"test_user"}]
 successfully
   ```
   
   ## Notes
   - This may not be the best solution.
   - Does not affect the default pattern.
   - I only tested two task types: `shell` and `datax`.
   - It is recommended to adjust the expression to better comply with parameter 
naming conventions.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to