[
https://issues.apache.org/jira/browse/LANG-1400?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Ponomarev updated LANG-1400:
-----------------------------------
Description:
It would be great to have a function which allows to mask the original str by
replacing it's
characters with the specified character-mask. For eaxmple to mask credit card:
{code}
mask("3566002020360505", 4, 4, '*') = "3566********0505"
{code}
Thus the number was hidden by asterisks while first and last four digits are
unmasked and seen.
Common use case is to hide sensitive information from logs, by using it in
toString() of classes or in inputs to log calls.
I think this is "must have" functionality for Commons Lang library because from
my experience in almost all bit projects what I saw was their home grown
masking function.
I think this is very important also because this is required for masking credit
card numbers by PCI compliance. Also new GDPR rules requires to hide personal
info as much as possible so masking of First and Last names now is required by
laws.
To make the world safer place the utility for masking should be already
existing in platform to avoid situations when developer think "this is better
to mask but I don't have enough time now so let's do this latter" until leak
happens.
IMHO this should be implemented even in `String` class itself.
>From my experience what I saw was usually few masking usages and styles:
1. masking of passwords and names: only first and last symbols are shown, mask
char is `*`
2. masking of credit cards: only first and last 4 or 6 symbols are shown, mask
char is `*`.
3. credit card number shortest masking of last symbols i.e.
`mask("4242424242424242") == " *4242"` but it's not so often used, I just
wanted to mention.
4. not masking but showing a length just so see that value was passed. This can
be easily achieved by usual `String.legth()` method.
There is already some pull request
[https://github.com/apache/commons-lang/pull/332] but I decided to create the
ticket because we also need to support masking for ToStringBuilder and I would
like to propose [PR with my own implementation of mask()
function|https://github.com/apache/commons-lang/pull/335].
If you accept my PR then I'll send another one with a new annotation
@ToStringMasked in accordance to
[@ToStringExclude|https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/builder/ToStringExclude.html]
which will mark that fields should be masked. Possible usage I see like:
{code}
@ToStringMasked(unmaskedStart = 4, unmaskedEnd = 4)
String creditCardNumber;
@ToStringMasked(unmaskedStart = 1, unmaskedEnd = 1)
String password;
{code}
was:
It would be great to have a function which allows to mask the original str by
replacing it's
characters with the specified character-mask. For eaxmple to mask credit card:
{code}
mask("3566002020360505", 4, 4, '*') = "3566********0505"
{code}
Thus the number was hidden by asterisks while first and last four digits are
unmasked and seen.
Common use case is to hide sensitive information from logs, by using it in
toString() of classes or in inputs to log calls.
I think this is "must have" functionality for Commons Lang library because from
my experience in almost all bit projects what I saw was their home grown
masking function.
I think this is very important also because this is required for masking credit
card numbers by PCI compliance. Also new GDPR rules requires to hide personal
info as much as possible so masking of First and Last names now is required by
laws.
To make the world safer place the utility for masking should be already
existing in platform to avoid situations when developer think "this is better
to mask but I don't have enough time now so let's do this latter" until leak
happens.
IMHO this should be implemented even in `String` class itself.
>From my experience what I saw was usually few masking usages and styles:
1. masking of passwords and names: only first and last symbols are shown, mask
char is `*`
2. masking of credit cards: only first and last 4 or 6 symbols are shown, mask
char is `*`.
3. credit card number shortest masking of last symbols i.e.
`mask("4242424242424242") == " *4242"` but it's not so often used, I just
wanted to mention.
4. not masking but showing a length just so see that value was passed. This can
be easily achieved by usual `String.legth()` method.
There is already some pull request
[https://github.com/apache/commons-lang/pull/332] but I decided to create the
ticket because we also need to support masking for ToStringBuilder and I would
like to propose [PR with my own implementation of mask()
function|https://github.com/apache/commons-lang/pull/335].
If you accept my PR then I'll send another one with a new annotation
@ToStringMasked in accordance to
[@ToStringExclude|https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/builder/ToStringExclude.html]
which will mark that fields should be masked. Possible usage I see like:
{code}
@ToStringMasked(unmaskedStart = 4, unmaskedEnd = 4)
String creditCardNumber;
{code}
> StringUtils: Add method for masking strings
> -------------------------------------------
>
> Key: LANG-1400
> URL: https://issues.apache.org/jira/browse/LANG-1400
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Reporter: Sergey Ponomarev
> Priority: Minor
>
> It would be great to have a function which allows to mask the original str by
> replacing it's
> characters with the specified character-mask. For eaxmple to mask credit card:
> {code}
> mask("3566002020360505", 4, 4, '*') = "3566********0505"
> {code}
> Thus the number was hidden by asterisks while first and last four digits are
> unmasked and seen.
> Common use case is to hide sensitive information from logs, by using it in
> toString() of classes or in inputs to log calls.
> I think this is "must have" functionality for Commons Lang library because
> from my experience in almost all bit projects what I saw was their home grown
> masking function.
> I think this is very important also because this is required for masking
> credit card numbers by PCI compliance. Also new GDPR rules requires to hide
> personal info as much as possible so masking of First and Last names now is
> required by laws.
> To make the world safer place the utility for masking should be already
> existing in platform to avoid situations when developer think "this is
> better to mask but I don't have enough time now so let's do this latter"
> until leak happens.
> IMHO this should be implemented even in `String` class itself.
> From my experience what I saw was usually few masking usages and styles:
> 1. masking of passwords and names: only first and last symbols are shown,
> mask char is `*`
> 2. masking of credit cards: only first and last 4 or 6 symbols are shown,
> mask char is `*`.
> 3. credit card number shortest masking of last symbols i.e.
> `mask("4242424242424242") == " *4242"` but it's not so often used, I just
> wanted to mention.
> 4. not masking but showing a length just so see that value was passed. This
> can be easily achieved by usual `String.legth()` method.
> There is already some pull request
> [https://github.com/apache/commons-lang/pull/332] but I decided to create the
> ticket because we also need to support masking for ToStringBuilder and I
> would like to propose [PR with my own implementation of mask()
> function|https://github.com/apache/commons-lang/pull/335].
> If you accept my PR then I'll send another one with a new annotation
> @ToStringMasked in accordance to
> [@ToStringExclude|https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/builder/ToStringExclude.html]
> which will mark that fields should be masked. Possible usage I see like:
> {code}
> @ToStringMasked(unmaskedStart = 4, unmaskedEnd = 4)
> String creditCardNumber;
> @ToStringMasked(unmaskedStart = 1, unmaskedEnd = 1)
> String password;
> {code}
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
