This is an automated email from the ASF dual-hosted git repository. jbonofre pushed a commit to branch karaf-4.3.x in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/karaf-4.3.x by this push: new 702d69c1f7 KARAF-7537 - Password displayed in console using repo-list 702d69c1f7 is described below commit 702d69c1f72b4a15684f583937de7c467849341f Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Mon Oct 3 16:29:16 2022 +0100 KARAF-7537 - Password displayed in console using repo-list (cherry picked from commit 2a6adc8a9821aa50e37ebc5a2426ee2347ff0915) --- .../karaf/features/command/RepoListCommand.java | 7 ++++- .../features/command/RepoListCommandTest.java | 35 ++++++++++++++++++++-- .../karaf/webconsole/features/FeaturesPlugin.java | 4 +++ 3 files changed, 43 insertions(+), 3 deletions(-) diff --git a/features/command/src/main/java/org/apache/karaf/features/command/RepoListCommand.java b/features/command/src/main/java/org/apache/karaf/features/command/RepoListCommand.java index a91182f832..6c59da8e9a 100644 --- a/features/command/src/main/java/org/apache/karaf/features/command/RepoListCommand.java +++ b/features/command/src/main/java/org/apache/karaf/features/command/RepoListCommand.java @@ -59,7 +59,12 @@ public class RepoListCommand extends FeaturesCommandSupport { if (repo != null) { if (showBlacklisted || !repo.isBlacklisted()) { Row row = table.addRow(); - row.addContent(repo.getName(), repo.getURI().toString()); + String uri = repo.getURI().toString(); + // Hide the user:password if it contains one + if (uri.matches("\\S*://\\S*:\\S*@\\S*")) { + uri = uri.replaceFirst("://\\S*@", "://*****:*****@"); + } + row.addContent(repo.getName(), uri); if (showBlacklisted) { row.addContent(repo.isBlacklisted() ? "yes" : "no"); } diff --git a/features/command/src/test/java/org/apache/karaf/features/command/RepoListCommandTest.java b/features/command/src/test/java/org/apache/karaf/features/command/RepoListCommandTest.java index 888138b620..8957c3a9e6 100644 --- a/features/command/src/test/java/org/apache/karaf/features/command/RepoListCommandTest.java +++ b/features/command/src/test/java/org/apache/karaf/features/command/RepoListCommandTest.java @@ -28,8 +28,7 @@ import java.io.ByteArrayOutputStream; import java.io.PrintStream; import java.net.URI; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; public class RepoListCommandTest extends RepositoryCommandTestBase { @@ -138,4 +137,36 @@ public class RepoListCommandTest extends RepositoryCommandTestBase { EasyMock.verify(service, blacklistedRepo, whitelistedRepo); } + + @Test + public void testPasswordsHidden() throws Exception { + FeaturesService service = EasyMock.createMock(FeaturesService.class); + + Repository repo = EasyMock.createMock(Repository.class); + URI repoUri = URI.create("mvn:https://user:passw...@repo1.maven.org/maven2!org.apache.cxf.karaf/apache-cxf/3.5.3/xml/features"); + EasyMock.expect(repo.getURI()).andReturn(repoUri).anyTimes(); + EasyMock.expect(repo.getName()).andReturn("cxf-3.5.3").anyTimes(); + EasyMock.expect(repo.isBlacklisted()).andReturn(false); + + EasyMock.expect(service.listRepositories()).andReturn(new Repository[]{repo}); + + EasyMock.replay(service, repo); + + RepoListCommand repoListCommand = new RepoListCommand(); + repoListCommand.setFeaturesService(service); + repoListCommand.noFormat = true; + + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + PrintStream out = new PrintStream(baos); + System.setOut(out); + + repoListCommand.execute(); + out.flush(); + + String commandOutput = baos.toString(); + assertTrue(commandOutput.contains("*****:*****")); + assertFalse(commandOutput.contains("user:password")); + + EasyMock.verify(service, repo); + } } diff --git a/webconsole/features/src/main/java/org/apache/karaf/webconsole/features/FeaturesPlugin.java b/webconsole/features/src/main/java/org/apache/karaf/webconsole/features/FeaturesPlugin.java index a08cc06e2f..0ad1fef12e 100644 --- a/webconsole/features/src/main/java/org/apache/karaf/webconsole/features/FeaturesPlugin.java +++ b/webconsole/features/src/main/java/org/apache/karaf/webconsole/features/FeaturesPlugin.java @@ -277,6 +277,10 @@ public class FeaturesPlugin extends AbstractWebConsolePlugin { jw.value(name); jw.key("url"); String uri = r.getURI().toString(); + // Hide the user:password if it contains one + if (uri.matches("\\S*://\\S*:\\S*@\\S*")) { + uri = uri.replaceFirst("://\\S*@", "://*****:*****@"); + } jw.value(uri); jw.key("actions"); jw.array();