Skip to content

Commit dfcb805

Browse files
muruganishekarmuruganishekar
committed
fix: obfuscate regexes
1 parent 90fee14 commit dfcb805

File tree

2 files changed

+65
-20
lines changed

2 files changed

+65
-20
lines changed

pkg/helpers/helpers.go

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -370,11 +370,11 @@ func ObfuscateSensitiveDataFromArray(data []string) []string {
370370

371371
//nolint:gochecknoglobals
372372
var obfuscateRegexes = []*regexp.Regexp{
373-
// Match if contains pass|token|cert|auth|key|secret|salt|cred|pw
373+
// Match if contains pass|token|cert|auth|key|secret|salt|cred|pw (should not have @ )
374374
// and capturing if found the group after one of the separators: ' ', ':', '=' and '"'.
375-
regexp.MustCompile(`(?i)(?:pass|token|cert|auth|key|secret|salt|cred|pw)(?:[^\s:="]*)(?:[\s:="]*)([^\s:="]+)?`),
376-
// Match password in url http://user:pass@localhost
377-
regexp.MustCompile(`(?i)(?:\:\/\/\w+)(?:[\s:="]*)([a-zA-Z0-9]+)(?:[\@])`),
375+
regexp.MustCompile(`(?i)(?:pass|token|cert|auth|key|secret|salt|cred|pw)(?:[^\s:=@"]*)(?:[\s:="]*)([^\s:=@"]+)?`),
376+
// Match password in url http://user:pass@localhost (should not have @ in password/user)
377+
regexp.MustCompile(`(?i)(?:\:\/\/\w+)(?:[\s:="]*)([a-zA-Z0-9!#$%^&*()_+\-=\[\]{}|;:'",.<>?\/~]+)(?:[@])`),
378378
}
379379

380380
// ObfuscateSensitiveData is used to detect sensitive data like tokens/passwords etc and
@@ -385,18 +385,16 @@ var obfuscateRegexes = []*regexp.Regexp{
385385
// /usr/bin/custom_cmd -pwd 1234 -arg2 abc => /usr/bin/custom_cmd -pwd * -arg2 abc
386386
func ObfuscateSensitiveData(value string) (matched, isField bool, result string) {
387387
result = value
388-
389388
for _, obfuscateRegex := range obfuscateRegexes {
390389

391390
matches := obfuscateRegex.FindAllStringSubmatchIndex(result, -1)
392-
393391
var transforms bytes.Buffer
394392

395393
lastEndIndex := 0
396-
397394
for _, indexes := range matches {
398395
// Expect array of 4:
399396
// start-end indexes of the full match
397+
// For array of 4 it's start-end indexes of the full match
400398
// start-end indexes of the group 1 (data that should be obfuscated)
401399
if len(indexes) != 4 {
402400
break

pkg/helpers/helpers_test.go

Lines changed: 60 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -294,25 +294,68 @@ func TestObfuscateSensitiveData_MatchButNothingToObfuscate(t *testing.T) {
294294
assert.True(t, isField)
295295
assert.Equal(t, data, result)
296296
}
297-
298297
func TestObfuscateSensitiveData_CommandLineWithArgs(t *testing.T) {
299-
data := "/usr/bin/custom_cmd -pwd 1234 -arg2 abc"
300-
expected := "/usr/bin/custom_cmd -pwd <HIDDEN> -arg2 abc"
301-
matched, isField, actual := ObfuscateSensitiveData(data)
298+
tests := []struct {
299+
name string
300+
data string
301+
expected string
302+
isField bool
303+
}{
304+
{
305+
name: "Custom command with password and mongodb uri",
306+
data: "/usr/bin/custom_cmd -pwd 1234 --mongodb.uri mongodb://admin:testrw@host:27017/admin -arg2 abc",
307+
expected: "/usr/bin/custom_cmd -pwd <HIDDEN> --mongodb.uri mongodb://admin:<HIDDEN>@host:27017/admin -arg2 abc",
308+
isField: false,
309+
},
310+
{
311+
name: "Prometheus exporter with mongodb uri and sensitive word in password",
312+
data: "/usr/local/prometheus-exporters/bin/mongodb3-exporter --mongodb.uri mongodb://admin:testpass@localhost:27017/admin --no-mongodb.direct-connect --collector.dbstats --collector.collstats",
313+
expected: "/usr/local/prometheus-exporters/bin/mongodb3-exporter --mongodb.uri mongodb://admin:<HIDDEN>@localhost:27017/admin --no-mongodb.direct-connect --collector.dbstats --collector.collstats",
314+
isField: true,
315+
},
316+
}
302317

303-
assert.True(t, matched)
304-
assert.False(t, isField)
305-
assert.Equal(t, expected, actual)
318+
for _, tt := range tests {
319+
t.Run(tt.name, func(t *testing.T) {
320+
t.Parallel()
321+
matched, isField, actual := ObfuscateSensitiveData(tt.data)
322+
assert.True(t, matched)
323+
assert.Equal(t, tt.isField, isField)
324+
assert.Equal(t, tt.expected, actual)
325+
})
326+
}
306327
}
307328

308329
func TestObfuscateSensitiveData_ConfigProtocolOutput(t *testing.T) {
309-
data := `{"config_protocol_version":"1","action":"register_config","config_name":"cfg-nri-ibmmq","config":{"variables":{},"integrations":[{"name":"nri-prometheus","config":{"standalone":false,"verbose":"1","transformations":[],"integration_metadata":{"version":"0.3.0","name":"nri-ibmmq""targets":["urls":["http://localhost:9157"]}]}},{"name":"ibmmq-exporter","timeout":0, "exec":[ "/usr/local/prometheus-exporters/bin/ibmmq-exporter","--mongodb.uri","mongodb://root:supercomplex@localhost:17017","--ibmmq.connName","localhost(1414)","--ibmmq.queueManager","QM1","--ibmmq.channel","DEV.ADMIN.SVRCONN","--ibmmq.userid","admin","--ibmmq.httpListenPort","9157","--ibmmq.monitoredQueues","!SYSTEM.*,*","--ibmmq.monitoredChannels","*","--ibmmq.httpMetricPath","/metrics","--ibmmq.useStatus"],"env":{"IBMMQ_CONNECTION_PASSWORD":"passw0rd","LD_LIBRARY_PATH":"/opt/mqm/lib64:/usr/lib64","HOME":"/tmp"}}]}}`
310-
expected := `{"config_protocol_version":"1","action":"register_config","config_name":"cfg-nri-ibmmq","config":{"variables":{},"integrations":[{"name":"nri-prometheus","config":{"standalone":false,"verbose":"1","transformations":[],"integration_metadata":{"version":"0.3.0","name":"nri-ibmmq""targets":["urls":["http://localhost:9157"]}]}},{"name":"ibmmq-exporter","timeout":0, "exec":[ "/usr/local/prometheus-exporters/bin/ibmmq-exporter","--mongodb.uri","mongodb://root:<HIDDEN>@localhost:17017","--ibmmq.connName","localhost(1414)","--ibmmq.queueManager","QM1","--ibmmq.channel","DEV.ADMIN.SVRCONN","--ibmmq.userid","admin","--ibmmq.httpListenPort","9157","--ibmmq.monitoredQueues","!SYSTEM.*,*","--ibmmq.monitoredChannels","*","--ibmmq.httpMetricPath","/metrics","--ibmmq.useStatus"],"env":{"IBMMQ_CONNECTION_PASSWORD":"<HIDDEN>","LD_LIBRARY_PATH":"/opt/mqm/lib64:/usr/lib64","HOME":"/tmp"}}]}}`
311-
matched, isField, actual := ObfuscateSensitiveData(data)
330+
tests := []struct {
331+
name string
332+
data string
333+
expected string
334+
isField bool
335+
}{
336+
{
337+
name: "Config protocol output with password and mongodb uri",
338+
data: `{"config_protocol_version":"1","action":"register_config","config_name":"cfg-nri-ibmmq","config":{"variables":{},"integrations":[{"name":"nri-prometheus","config":{"standalone":false,"verbose":"1","transformations":[],"integration_metadata":{"version":"0.3.0","name":"nri-ibmmq""targets":["urls":["http://localhost:9157"]}]}},{"name":"ibmmq-exporter","timeout":0, "exec":[ "/usr/local/prometheus-exporters/bin/ibmmq-exporter","--mongodb.uri","mongodb://root:supercomplex@localhost:17017","--ibmmq.connName","localhost(1414)","--ibmmq.queueManager","QM1","--ibmmq.channel","DEV.ADMIN.SVRCONN","--ibmmq.userid","admin","--ibmmq.httpListenPort","9157","--ibmmq.monitoredQueues","!SYSTEM.*,*","--ibmmq.monitoredChannels","*","--ibmmq.httpMetricPath","/metrics","--ibmmq.useStatus"],"env":{"IBMMQ_CONNECTION_PASSWORD":"passw0rd","LD_LIBRARY_PATH":"/opt/mqm/lib64:/usr/lib64","HOME":"/tmp"}}]}}`, //nolint
339+
expected: `{"config_protocol_version":"1","action":"register_config","config_name":"cfg-nri-ibmmq","config":{"variables":{},"integrations":[{"name":"nri-prometheus","config":{"standalone":false,"verbose":"1","transformations":[],"integration_metadata":{"version":"0.3.0","name":"nri-ibmmq""targets":["urls":["http://localhost:9157"]}]}},{"name":"ibmmq-exporter","timeout":0, "exec":[ "/usr/local/prometheus-exporters/bin/ibmmq-exporter","--mongodb.uri","mongodb://root:<HIDDEN>@localhost:17017","--ibmmq.connName","localhost(1414)","--ibmmq.queueManager","QM1","--ibmmq.channel","DEV.ADMIN.SVRCONN","--ibmmq.userid","admin","--ibmmq.httpListenPort","9157","--ibmmq.monitoredQueues","!SYSTEM.*,*","--ibmmq.monitoredChannels","*","--ibmmq.httpMetricPath","/metrics","--ibmmq.useStatus"],"env":{"IBMMQ_CONNECTION_PASSWORD":"<HIDDEN>","LD_LIBRARY_PATH":"/opt/mqm/lib64:/usr/lib64","HOME":"/tmp"}}]}}`, //nolint
340+
isField: false,
341+
},
342+
{
343+
name: "Config protocol output with special characters password and mongodb uri",
344+
data: `{"config_protocol_version":"1","action":"register_config","config_name":"cfg-nri-ibmmq","config":{"variables":{},"integrations":[{"name":"nri-prometheus","config":{"standalone":false,"verbose":"1","transformations":[],"integration_metadata":{"version":"0.3.0","name":"nri-ibmmq""targets":["urls":["http://user:r#wsq@localhost:9157"]}]}},{"name":"ibmmq-exporter","timeout":0, "exec":[ "/usr/local/prometheus-exporters/bin/ibmmq-exporter","--mongodb.uri","mongodb://newrelic:rW#ord@host:27017/admin","--ibmmq.connName","localhost(1414)","--ibmmq.queueManager","QM1","--ibmmq.channel","DEV.ADMIN.SVRCONN","--ibmmq.userid","admin","--ibmmq.httpListenPort","9157","--ibmmq.monitoredQueues","!SYSTEM.*,*","--ibmmq.monitoredChannels","*","--ibmmq.httpMetricPath","/metrics","--ibmmq.useStatus"],"env":{"IBMMQ_CONNECTION_PASSWORD":"passw0rd","LD_LIBRARY_PATH":"/opt/mqm/lib64:/usr/lib64","HOME":"/tmp"}}]}}`, //nolint
345+
expected: `{"config_protocol_version":"1","action":"register_config","config_name":"cfg-nri-ibmmq","config":{"variables":{},"integrations":[{"name":"nri-prometheus","config":{"standalone":false,"verbose":"1","transformations":[],"integration_metadata":{"version":"0.3.0","name":"nri-ibmmq""targets":["urls":["http://user:<HIDDEN>@localhost:9157"]}]}},{"name":"ibmmq-exporter","timeout":0, "exec":[ "/usr/local/prometheus-exporters/bin/ibmmq-exporter","--mongodb.uri","mongodb://newrelic:<HIDDEN>@host:27017/admin","--ibmmq.connName","localhost(1414)","--ibmmq.queueManager","QM1","--ibmmq.channel","DEV.ADMIN.SVRCONN","--ibmmq.userid","admin","--ibmmq.httpListenPort","9157","--ibmmq.monitoredQueues","!SYSTEM.*,*","--ibmmq.monitoredChannels","*","--ibmmq.httpMetricPath","/metrics","--ibmmq.useStatus"],"env":{"IBMMQ_CONNECTION_PASSWORD":"<HIDDEN>","LD_LIBRARY_PATH":"/opt/mqm/lib64:/usr/lib64","HOME":"/tmp"}}]}}`, //nolint
346+
isField: false,
347+
},
348+
}
312349

313-
assert.True(t, matched)
314-
assert.False(t, isField)
315-
assert.Equal(t, expected, actual)
350+
for _, tt := range tests {
351+
t.Run(tt.name, func(t *testing.T) {
352+
t.Parallel()
353+
matched, isField, actual := ObfuscateSensitiveData(tt.data)
354+
assert.True(t, matched)
355+
assert.Equal(t, tt.isField, isField)
356+
assert.Equal(t, tt.expected, actual)
357+
})
358+
}
316359
}
317360

318361
func TestObfuscateSensitiveData_EnvironmentVariable(t *testing.T) {
@@ -417,7 +460,9 @@ func TestObfuscateSensitiveData_ObfuscateSensitiveDataFromArray(t *testing.T) {
417460
"obfuscare_next_pass",
418461
"12345",
419462
"NRIA_KEY=1234",
463+
"NewrelicMongoDB=pa$$word@",
420464
"final",
465+
"mongodb_uri mongodb://newrelictest:NewrelicMongoDB@localhost:27017/admin",
421466
}
422467

423468
expected := []string{
@@ -427,7 +472,9 @@ func TestObfuscateSensitiveData_ObfuscateSensitiveDataFromArray(t *testing.T) {
427472
"obfuscare_next_pass",
428473
"<HIDDEN>",
429474
"NRIA_KEY=<HIDDEN>",
475+
"NewrelicMongoDB=pa$$word@",
430476
"final",
477+
"mongodb_uri mongodb://newrelictest:<HIDDEN>@localhost:27017/admin",
431478
}
432479

433480
actual := ObfuscateSensitiveDataFromArray(data)

0 commit comments

Comments
 (0)