[
https://issues.apache.org/jira/browse/CAMEL-12480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16465098#comment-16465098
]
ASF GitHub Bot commented on CAMEL-12480:
----------------------------------------
PascalSchumacher closed pull request #2317: CAMEL-12480:
HttpOperationFailedException exposes password when using…
URL: https://github.com/apache/camel/pull/2317
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcOperationFailedException.java
b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcOperationFailedException.java
index 7505a1c072f..86fb2ea6f50 100644
---
a/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcOperationFailedException.java
+++
b/components/camel-ahc/src/main/java/org/apache/camel/component/ahc/AhcOperationFailedException.java
@@ -20,6 +20,7 @@
import org.apache.camel.CamelException;
import org.apache.camel.util.ObjectHelper;
+import org.apache.camel.util.URISupport;
public class AhcOperationFailedException extends CamelException {
private static final long serialVersionUID = -6731281444593522633L;
@@ -31,8 +32,9 @@
private final String responseBody;
public AhcOperationFailedException(String url, int statusCode, String
statusText, String location, Map<String, String> responseHeaders, String
responseBody) {
- super("HTTP operation failed invoking " + url + " with statusCode: " +
statusCode + (location != null ? ", redirectLocation: " + location : ""));
- this.url = url;
+ // sanitize url so we do not show sensitive information such as
passwords
+ super("HTTP operation failed invoking " + URISupport.sanitizeUri(url)
+ " with statusCode: " + statusCode + (location != null ? ", redirectLocation:
" + location : ""));
+ this.url = URISupport.sanitizeUri(url);
this.statusCode = statusCode;
this.statusText = statusText;
this.redirectLocation = location;
diff --git
a/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/AhcOperationFailedExceptionTest.java
b/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/AhcOperationFailedExceptionTest.java
new file mode 100644
index 00000000000..1e1a0e12440
--- /dev/null
+++
b/components/camel-ahc/src/test/java/org/apache/camel/component/ahc/AhcOperationFailedExceptionTest.java
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.ahc;
+
+import org.junit.Test;
+
+import static org.hamcrest.core.IsNot.not;
+import static org.hamcrest.core.StringContains.containsString;
+import static org.junit.Assert.assertThat;
+
+public class AhcOperationFailedExceptionTest {
+
+ @Test
+ public void testUrlIsSanitized() {
+ AhcOperationFailedException ahcOperationFailedException = new
AhcOperationFailedException("http://user:password@host";, 500, "", "", null, "");
+
+ assertThat(ahcOperationFailedException.getMessage(),
not(containsString("password")));
+ assertThat(ahcOperationFailedException.getUrl(),
not(containsString("password")));
+ }
+}
diff --git
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpOperationFailedException.java
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpOperationFailedException.java
index 20086583ca8..4701783136d 100644
---
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpOperationFailedException.java
+++
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpOperationFailedException.java
@@ -20,6 +20,7 @@
import org.apache.camel.CamelException;
import org.apache.camel.util.ObjectHelper;
+import org.apache.camel.util.URISupport;
public class HttpOperationFailedException extends CamelException {
private static final long serialVersionUID = -8721487434390572634L;
@@ -31,8 +32,9 @@
private final String responseBody;
public HttpOperationFailedException(String uri, int statusCode, String
statusText, String location, Map<String, String> responseHeaders, String
responseBody) {
- super("HTTP operation failed invoking " + uri + " with statusCode: " +
statusCode + (location != null ? ", redirectLocation: " + location : ""));
- this.uri = uri;
+ // sanitize uri so we do not show sensitive information such as
passwords
+ super("HTTP operation failed invoking " + URISupport.sanitizeUri(uri)
+ " with statusCode: " + statusCode + (location != null ? ", redirectLocation:
" + location : ""));
+ this.uri = URISupport.sanitizeUri(uri);
this.statusCode = statusCode;
this.statusText = statusText;
this.redirectLocation = location;
diff --git
a/components/camel-http-common/src/test/java/org/apache/camel/http/common/HttpOperationFailedExceptionTest.java
b/components/camel-http-common/src/test/java/org/apache/camel/http/common/HttpOperationFailedExceptionTest.java
new file mode 100644
index 00000000000..49d98bb2d27
--- /dev/null
+++
b/components/camel-http-common/src/test/java/org/apache/camel/http/common/HttpOperationFailedExceptionTest.java
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.http.common;
+
+import org.junit.Test;
+
+import static org.hamcrest.core.IsNot.not;
+import static org.hamcrest.core.StringContains.containsString;
+import static org.junit.Assert.assertThat;
+
+public class HttpOperationFailedExceptionTest {
+
+ @Test
+ public void testUriIsSanitized() {
+ HttpOperationFailedException httpOperationFailedException = new
HttpOperationFailedException("http://user:password@host";, 500, "", "", null,
"");
+
+ assertThat(httpOperationFailedException.getMessage(),
not(containsString("password")));
+ assertThat(httpOperationFailedException.getUri(),
not(containsString("password")));
+ }
+}
diff --git
a/components/camel-netty-http/src/main/java/org/apache/camel/component/netty/http/NettyHttpOperationFailedException.java
b/components/camel-netty-http/src/main/java/org/apache/camel/component/netty/http/NettyHttpOperationFailedException.java
index cf8722a5b97..fda18207efe 100644
---
a/components/camel-netty-http/src/main/java/org/apache/camel/component/netty/http/NettyHttpOperationFailedException.java
+++
b/components/camel-netty-http/src/main/java/org/apache/camel/component/netty/http/NettyHttpOperationFailedException.java
@@ -18,6 +18,7 @@
import org.apache.camel.CamelException;
import org.apache.camel.util.ObjectHelper;
+import org.apache.camel.util.URISupport;
import org.jboss.netty.handler.codec.http.HttpResponse;
/**
@@ -32,8 +33,9 @@
private final transient HttpResponse response;
public NettyHttpOperationFailedException(String uri, int statusCode,
String statusText, String location, HttpResponse response) {
- super("Netty HTTP operation failed invoking " + uri + " with
statusCode: " + statusCode + (location != null ? ", redirectLocation: " +
location : ""));
- this.uri = uri;
+ // sanitize uri so we do not show sensitive information such as
passwords
+ super("Netty HTTP operation failed invoking " +
URISupport.sanitizeUri(uri) + " with statusCode: " + statusCode + (location !=
null ? ", redirectLocation: " + location : ""));
+ this.uri = URISupport.sanitizeUri(uri);
this.statusCode = statusCode;
this.statusText = statusText;
this.redirectLocation = location;
diff --git
a/components/camel-netty-http/src/test/java/org/apache/camel/component/netty/http/NettyHttpOperationFailedExceptionTest.java
b/components/camel-netty-http/src/test/java/org/apache/camel/component/netty/http/NettyHttpOperationFailedExceptionTest.java
new file mode 100644
index 00000000000..8bdd6d0ad8c
--- /dev/null
+++
b/components/camel-netty-http/src/test/java/org/apache/camel/component/netty/http/NettyHttpOperationFailedExceptionTest.java
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.netty.http;
+
+import org.junit.Test;
+
+import static org.hamcrest.core.IsNot.not;
+import static org.hamcrest.core.StringContains.containsString;
+import static org.junit.Assert.assertThat;
+
+public class NettyHttpOperationFailedExceptionTest {
+
+ @Test
+ public void testUriIsSanitized() {
+ NettyHttpOperationFailedException nettyHttpOperationFailedException =
new NettyHttpOperationFailedException("http://user:password@host";, 500, "", "",
null);
+
+ assertThat(nettyHttpOperationFailedException.getMessage(),
not(containsString("password")));
+ assertThat(nettyHttpOperationFailedException.getUri(),
not(containsString("password")));
+ }
+}
diff --git
a/components/camel-netty4-http/src/main/java/org/apache/camel/component/netty4/http/NettyHttpOperationFailedException.java
b/components/camel-netty4-http/src/main/java/org/apache/camel/component/netty4/http/NettyHttpOperationFailedException.java
index 5baceeb9a60..32ea065dabc 100644
---
a/components/camel-netty4-http/src/main/java/org/apache/camel/component/netty4/http/NettyHttpOperationFailedException.java
+++
b/components/camel-netty4-http/src/main/java/org/apache/camel/component/netty4/http/NettyHttpOperationFailedException.java
@@ -22,6 +22,7 @@
import org.apache.camel.CamelException;
import org.apache.camel.component.netty4.NettyConverter;
import org.apache.camel.util.ObjectHelper;
+import org.apache.camel.util.URISupport;
/**
* Exception when a Netty HTTP operation failed.
@@ -36,8 +37,9 @@
private final String contentAsString;
public NettyHttpOperationFailedException(String uri, int statusCode,
String statusText, String location, HttpContent content) {
- super("Netty HTTP operation failed invoking " + uri + " with
statusCode: " + statusCode + (location != null ? ", redirectLocation: " +
location : ""));
- this.uri = uri;
+ // sanitize uri so we do not show sensitive information such as
passwords
+ super("Netty HTTP operation failed invoking " +
URISupport.sanitizeUri(uri) + " with statusCode: " + statusCode + (location !=
null ? ", redirectLocation: " + location : ""));
+ this.uri = URISupport.sanitizeUri(uri);
this.statusCode = statusCode;
this.statusText = statusText;
this.redirectLocation = location;
diff --git
a/components/camel-netty4-http/src/test/java/org/apache/camel/component/netty4/http/NettyHttpOperationFailedExceptionTest.java
b/components/camel-netty4-http/src/test/java/org/apache/camel/component/netty4/http/NettyHttpOperationFailedExceptionTest.java
new file mode 100644
index 00000000000..db83dfbe8e1
--- /dev/null
+++
b/components/camel-netty4-http/src/test/java/org/apache/camel/component/netty4/http/NettyHttpOperationFailedExceptionTest.java
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.netty4.http;
+
+import org.junit.Test;
+
+import io.netty.handler.codec.http.DefaultLastHttpContent;
+
+import static org.hamcrest.core.IsNot.not;
+import static org.hamcrest.core.StringContains.containsString;
+import static org.junit.Assert.assertThat;
+
+public class NettyHttpOperationFailedExceptionTest {
+
+ @Test
+ public void testUriIsSanitized() {
+ NettyHttpOperationFailedException nettyHttpOperationFailedException =
new NettyHttpOperationFailedException("http://user:password@host";, 500, "", "",
new DefaultLastHttpContent());
+
+ assertThat(nettyHttpOperationFailedException.getMessage(),
not(containsString("password")));
+ assertThat(nettyHttpOperationFailedException.getUri(),
not(containsString("password")));
+ }
+}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> HttpOperationFailedException exposes password when using basic auth with
> user:password@host notation
> ----------------------------------------------------------------------------------------------------
>
> Key: CAMEL-12480
> URL: https://issues.apache.org/jira/browse/CAMEL-12480
> Project: Camel
> Issue Type: Bug
> Components: camel-ahc, camel-http-common, camel-netty-http,
> camel-netty4-http, camel-undertow
> Affects Versions: 2.21.0
> Reporter: Pascal Schumacher
> Assignee: Pascal Schumacher
> Priority: Minor
> Fix For: 2.20.4, 2.21.2, 2.22.0
>
>
> Simplified route:
> {code}
> from(inUri)
> .toD("http4://user:password@host:port/path");
> {code}
> When a HttpOperationFailedException occurs the message contains the unmasked
> password e.g. "HTTP operation failed invoking
> http://user:password@host:port/path ..."
> I guess Camel should mask the password.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
