Re: [PR] Fix `/debugging/config/dump` may leak sensitive information if there are second level properties in the configuration. [skywalking]

[via GitHub]

wankai123 commented on code in PR #13726:
URL: https://github.com/apache/skywalking/pull/13726#discussion_r2888593950


##########
oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/status/ServerStatusService.java:
##########
@@ -100,19 +101,43 @@ public ConfigList dumpBootingConfigurations(String 
keywords4MaskingSecretsOfConf
                 (providerName, providerConfiguration) ->
                     providerConfiguration.getProperties().forEach(
                         (key, value) -> {
-                            for (final String keyword : keywords) {
-                                if 
(key.toString().toLowerCase().contains(keyword.toLowerCase())) {
-                                    value = "******";
-                                }
+                            if (value instanceof Properties) {
+                                Properties properties = (Properties) value;
+                                properties.forEach((k, v) -> {
+                                    String configKey = moduleName + "." + 
providerName + "." + key + "." + k;
+                                    String configValue = 
maskConfigValue(configKey, v.toString(), keywords);
+                                    configList.put(configKey, configValue);
+                                });
+                            } else {
+                                String configKey = moduleName + "." + 
providerName + "." + key;
+                                String configValue = 
maskConfigValue(key.toString(), value.toString(), keywords);
+                                configList.put(configKey, configValue);
                             }
-                            configList.put(moduleName + "." + providerName + 
"." + key, value.toString());
                         }
                     )
             );
         }
         return configList;
     }
 
+    /**
+     * Mask the configuration value if the key contains any masking keyword.
+     *
+     * @param configKey   the configuration key to check
+     * @param configValue the configuration value to mask
+     * @param keywords    the keywords for masking secrets
+     * @return masked value "******" if key matches any keyword, otherwise 
return the original value
+     */
+    private String maskConfigValue(String configKey, String configValue, 
String[] keywords) {
+        String lowerConfigKey = configKey.toLowerCase();
+        for (String keyword : keywords) {
+            if (lowerConfigKey.contains(keyword.toLowerCase())) {
+                return "******";
+            }
+        }
+        return configValue;
+    }

Review Comment:
   added e2e



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org