[jira] [Commented] (QPID-8460) [Broker-J] Do not expose private information to exception message

Thu, 06 Aug 2020 03:54:04 -0700 


    [ 
https://issues.apache.org/jira/browse/QPID-8460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17172248#comment-17172248
 ] 

ASF GitHub Bot commented on QPID-8460:
--------------------------------------

vavrtom commented on a change in pull request #55:
URL: https://github.com/apache/qpid-broker-j/pull/55#discussion_r466329664



##########
File path: broker-core/src/main/java/org/apache/qpid/server/util/Strings.java
##########
@@ -134,7 +134,8 @@ public static Resolver chain(Resolver... resolvers)
         base64String = base64String.replaceAll("\\s","");
         
if(!base64String.matches("^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$"))
         {
-            throw new IllegalArgumentException("Cannot convert string '"+ 
base64String+ "'to a byte[] - it does not appear to be base64 data");
+            // do not add base64String to exception message as it can contain 
private data
+            throw new IllegalArgumentException("Cannot convert string to a 
byte[] - it does not appear to be base64 data");

Review comment:
       Added function <code>Strings.decodePrivateBase64(base64String, 
description)</code>, which is used in places, where private data is decoded. 
Description is added to exception message instead of converted string.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


> [Broker-J] Do not expose private information to exception message
> -----------------------------------------------------------------
>
>                 Key: QPID-8460
>                 URL: https://issues.apache.org/jira/browse/QPID-8460
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-9.0.0
>            Reporter: Tomas Vavricka
>            Priority: Minor
>
> * Obfuscate password value if IllegalArgumentException is thrown in 
> ConfiguredAutomatedAttribute.convert()
>  * Do not add base64String to IllegalArgumentException message in 
> Strings.java as it can contain private information



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to