Claus Skou Nielsen created CAMEL-17452:
------------------------------------------
Summary: camel-util - URISupport#sanitizeUri sanitizes passwords
incorrectly if remaining uri contains expression ${<expr>}
Key: CAMEL-17452
URL: https://issues.apache.org/jira/browse/CAMEL-17452
Project: Camel
Issue Type: Bug
Components: camel-core
Reporter: Claus Skou Nielsen
The following unit test demonstrates the problem with URISupport#sanitize:
{code:java}
@Test
public void testSanitizeUriWithRawPasswordAndSimpleExpression() {
String uriPlain =
"http://foo?username=me&password=RAW(me#@123)&foo=bar&port=21&tempFileName=${file:name.noext}.tmp&anotherOption=true";
String uriCurly =
"http://foo?username=me&password=RAW{me#@123}&foo=bar&port=21&tempFileName=${file:name.noext}.tmp&anotherOption=true";;
String expected =
"http://foo?username=me&password=xxxxxx&foo=bar&port=21&tempFileName=${file:name.noext}.tmp&anotherOption=true";;
// "http://foo?username=me&password=xxxxxx.tmp&anotherOption=true"; is
the actual result
assertEquals(expected, URISupport.sanitizeUri(uriPlain));
assertEquals(expected, URISupport.sanitizeUri(uriCurly));
}
{code}
The problem is that the SECRETS pattern in URISupport eagerly eats everything
up until the ending of ${[file:name.noext|file:///name.noext]}.
It can be resolved by changing the regex-pattern, like so:
{code:java}
private static final Pattern SECRETS = Pattern.compile(
"([?&][^=]*(?:passphrase|password|secretKey|accessToken|clientSecret|authorizationToken|saslJaasConfig)[^=]*)=(RAW(([{][^}]*[}])|([(][^)]*[)]))|[^&]*)",
Pattern.CASE_INSENSITIVE);
{code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
