This is an automated email from the ASF dual-hosted git repository.

anmolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/master by this push:
     new 964f5cf6b ZOOKEEPER-5058: Remove special characters from ensemble name 
before logging in EnsembleAuthenticationProvider
964f5cf6b is described below

commit 964f5cf6b0a622c44329246073301f70155e776e
Author: Andor Molnár <[email protected]>
AuthorDate: Wed Jul 8 09:18:16 2026 -0500

    ZOOKEEPER-5058: Remove special characters from ensemble name before logging 
in EnsembleAuthenticationProvider
    
    Reviewers: PDavid, PDavid, phunt
    Author: anmolnar
    Closes #2409 from anmolnar/ZOOKEEPER-5058
---
 .../auth/EnsembleAuthenticationProvider.java       |  3 +-
 .../auth/EnsembleAuthenticationProviderTest.java   | 63 ++++++++++++++++++++++
 2 files changed, 65 insertions(+), 1 deletion(-)

diff --git 
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/EnsembleAuthenticationProvider.java
 
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/EnsembleAuthenticationProvider.java
index 1e24c9283..331db2c5b 100644
--- 
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/EnsembleAuthenticationProvider.java
+++ 
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/EnsembleAuthenticationProvider.java
@@ -92,7 +92,8 @@ public KeeperException.Code handleAuthentication(ServerCnxn 
cnxn, byte[] authDat
         long currentTime = System.currentTimeMillis();
         if (lastFailureLogged + MIN_LOGGING_INTERVAL_MS < currentTime) {
             String id = 
cnxn.getRemoteSocketAddress().getAddress().getHostAddress();
-            LOG.warn("Unexpected ensemble name: ensemble name: {} client ip: 
{}", receivedEnsembleName, id);
+            String logEnsembleName = 
receivedEnsembleName.replaceAll("[\\x00-\\x1F]", "");
+            LOG.warn("Unexpected ensemble name: ensemble name: {} client ip: 
{}", logEnsembleName, id);
             lastFailureLogged = currentTime;
         }
         /*
diff --git 
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/EnsembleAuthenticationProviderTest.java
 
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/EnsembleAuthenticationProviderTest.java
new file mode 100644
index 000000000..23f914d2f
--- /dev/null
+++ 
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/auth/EnsembleAuthenticationProviderTest.java
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.zookeeper.server.auth;
+
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.mock;
+import ch.qos.logback.classic.Level;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.nio.charset.StandardCharsets;
+import org.apache.zookeeper.KeeperException;
+import org.apache.zookeeper.server.ServerCnxn;
+import org.apache.zookeeper.test.LoggerTestTool;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+public class EnsembleAuthenticationProviderTest {
+    private static LoggerTestTool loggerTestTool;
+
+    @BeforeAll
+    public static void setupBeforeClass() {
+        loggerTestTool = new 
LoggerTestTool(EnsembleAuthenticationProvider.class, Level.INFO);
+    }
+
+    @AfterAll
+    public static void tearDownAfterClass() throws Exception {
+        loggerTestTool.close();
+    }
+
+    @Test
+    public void testLogForgeryWithSpecialCharacters() throws IOException {
+        ServerCnxn mockServerCnxn = mock(ServerCnxn.class);
+        InetSocketAddress mockAddress = new InetSocketAddress("127.0.0.1", 
1234);
+        doReturn(mockAddress).when(mockServerCnxn).getRemoteSocketAddress();
+
+        EnsembleAuthenticationProvider provider = new 
EnsembleAuthenticationProvider();
+        provider.setEnsembleNames("test-ensemble");
+
+        byte[] authData = "andor-ensemble\nTHIS SHOULD\t NOT\r BE 
HERE".getBytes(StandardCharsets.UTF_8);
+        KeeperException.Code err = 
provider.handleAuthentication(mockServerCnxn, authData);
+        String logLine = loggerTestTool.readLogLine("andor-ensemble");
+        Assertions.assertTrue(logLine.contains("THIS SHOULD NOT BE HERE"), 
"Log line doesn't contain the entire ensemble name. Forged?");
+
+        Assertions.assertEquals(KeeperException.Code.BADARGUMENTS, err);
+    }
+}

Reply via email to