[
https://issues.apache.org/jira/browse/LANG-1400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17071217#comment-17071217
]
Gary D. Gregory commented on LANG-1400:
---------------------------------------
This belongs in Commons Text IMO; I think we want to keep more low-level
utilities in Lang, and higher-level ones in Text. I'm sure how to express the
delineation yet but let's talk about it. I'll post on the ML.
> StringUtils: Add method for masking strings
> -------------------------------------------
>
> Key: LANG-1400
> URL: https://issues.apache.org/jira/browse/LANG-1400
> Project: Commons Lang
> Issue Type: Improvement
> Components: lang.*
> Reporter: Sergey Ponomarev
> Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> It would be great to have a function which allows to mask the original str by
> replacing it's
> characters with the specified character-mask. For eaxmple to mask credit card:
> {code}
> mask("3566002020360505", 4, 4, '*') = "3566********0505"
> {code}
> Thus the number was hidden by asterisks while first and last four digits are
> unmasked and seen.
> Common use case is to hide sensitive information from logs, by using it in
> toString() of classes or in inputs to log calls.
> I think this is "must have" functionality for Commons Lang library because
> from my experience in almost all bit projects what I saw was their home grown
> masking function.
> I think this is very important also because this is required for masking
> credit card numbers by PCI compliance. Also new GDPR rules requires to hide
> personal info as much as possible so masking of First and Last names now is
> required by laws.
> To make the world safer place the utility for masking should be already
> existing in platform to avoid situations when developer think "this is
> better to mask but I don't have enough time now so let's do this latter"
> until leak happens.
> IMHO this should be implemented even in `String` class itself.
> From my experience what I saw was usually few masking usages and styles:
> 1. masking of passwords and names: only first and last symbols are shown,
> mask char is `*`
> 2. masking of credit cards: only first and last 4 or 6 symbols are shown,
> mask char is `*`.
> 3. credit card number shortest masking of last symbols i.e.
> `mask("4242424242424242") == " *4242"` but it's not so often used, I just
> wanted to mention.
> 4. not masking but showing a length just so see that value was passed. This
> can be easily achieved by usual `String.legth()` method.
> There is already some pull request
> [https://github.com/apache/commons-lang/pull/332] but I decided to create the
> ticket because we also need to support masking for ToStringBuilder and I
> would like to propose [PR with my own implementation of mask()
> function|https://github.com/apache/commons-lang/pull/335].
> If you accept my PR then I'll send another one with a new annotation
> @ToStringMasked in accordance to
> [@ToStringExclude|https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/builder/ToStringExclude.html]
> which will mark that fields should be masked. Possible usage I see like:
> {code}
> @ToStringMasked(unmaskedStart = 4, unmaskedEnd = 4)
> String creditCardNumber;
> @ToStringMasked(unmaskedStart = 1, unmaskedEnd = 1)
> String password;
> {code}
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
