Re: [PR] [Chore] Mask token in api log [dolphinscheduler]

[via GitHub]

github-advanced-security[bot] commented on code in PR #17656:
URL: 
https://github.com/apache/dolphinscheduler/pull/17656#discussion_r2502341395


##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/interceptor/RateLimitInterceptor.java:
##########
@@ -75,13 +76,13 @@
                              Object handler) throws ExecutionException {
         // tenant-level rate limit
         if (trafficConfiguration.isTenantSwitch()) {
-            String token = request.getHeader("token");
-            if (!StringUtils.isEmpty(token)) {
-                RateLimiter tenantRateLimiter = 
tenantRateLimiterCache.get(token);
+            final String token = request.getHeader("token");
+            if (StringUtils.isNotEmpty(token)) {
+                final RateLimiter tenantRateLimiter = 
tenantRateLimiterCache.get(token);
                 if (!tenantRateLimiter.tryAcquire()) {
                     response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
-                    log.warn("Too many request, reach tenant rate limit, 
current tenant:{} qps is {}", token,
-                            tenantRateLimiter.getRate());
+                    log.warn("Too many request, reach tenant token: {} rate 
limit, current tenant qps is {}",
+                            MaskUtils.maskString(token, 6), 
tenantRateLimiter.getRate());

Review Comment:
   ## Insertion of sensitive information into log files
   
   This [potentially sensitive information](1) is written to a log file.
   
   [Show more 
details](https://github.com/apache/dolphinscheduler/security/code-scanning/5580)



##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/interceptor/RateLimitInterceptor.java:
##########
@@ -75,13 +76,13 @@
                              Object handler) throws ExecutionException {
         // tenant-level rate limit
         if (trafficConfiguration.isTenantSwitch()) {
-            String token = request.getHeader("token");
-            if (!StringUtils.isEmpty(token)) {
-                RateLimiter tenantRateLimiter = 
tenantRateLimiterCache.get(token);
+            final String token = request.getHeader("token");
+            if (StringUtils.isNotEmpty(token)) {
+                final RateLimiter tenantRateLimiter = 
tenantRateLimiterCache.get(token);
                 if (!tenantRateLimiter.tryAcquire()) {
                     response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
-                    log.warn("Too many request, reach tenant rate limit, 
current tenant:{} qps is {}", token,
-                            tenantRateLimiter.getRate());
+                    log.warn("Too many request, reach tenant token: {} rate 
limit, current tenant qps is {}",
+                            MaskUtils.maskString(token, 6), 
tenantRateLimiter.getRate());

Review Comment:
   ## Log Injection
   
   This log entry depends on a [user-provided value](1).
   
   [Show more 
details](https://github.com/apache/dolphinscheduler/security/code-scanning/5579)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org