From 6bd91806824ec692dd8b8ef0da2a194ba8b21d92 Mon Sep 17 00:00:00 2001 From: Jonathan Dowland Date: Tue, 14 May 2024 13:44:55 +0100 Subject: [PATCH 1/3] Possible fix for CSB-3783 Signed-off-by: Adriano Machado <60320+ammachado@users.noreply.github.com> Signed-off-by: Jonathan Dowland --- .../opt/jboss/container/java/run/run-java.sh | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh b/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh index 5dc154fe..f6029233 100644 --- a/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh +++ b/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh @@ -225,6 +225,26 @@ function configure_passwd() { if [ -w "$HOME/passwd" ]; then sed "/^jboss/s/[^:]*/$(id -u)/3" /etc/passwd > "$HOME/passwd" fi + +# Mask secrets before printing +mask_passwords() { + local content="$1" + local result="" + + IFS=' ' read -r -a key_value_pairs <<< "$content" + + for pair in "${key_value_pairs[@]}"; do + key=$(echo "$pair" | cut -d '=' -f 1) + value=$(echo "$pair" | cut -d '=' -f 2-) + + if [[ $key =~ [Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd] ]]; then + result+="$key=***** " + else + result+="$pair " + fi + done + + echo "${result% }" } # Start JVM @@ -242,9 +262,11 @@ startup() { args="-jar ${JAVA_APP_JAR}" fi - procname="${JAVA_APP_NAME-java}" + local procname="${JAVA_APP_NAME-java}" + + local masked_args=$(mask_passwords "${args}") - log_info "exec -a \"${procname}\" java $(get_java_options) -cp \"$(get_classpath)\" ${args} $*" + log_info "exec -a \"${procname}\" java $(get_java_options) -cp \"$(get_classpath)\" ${masked_args} $*" log_info "running in $PWD" exec -a "${procname}" java $(get_java_options) -cp "$(get_classpath)" ${args} $* } From d981f03353012ab54f25206a4d3a169bb60c151c Mon Sep 17 00:00:00 2001 From: Jonathan Dowland Date: Thu, 2 May 2024 12:08:42 +0100 Subject: [PATCH 2/3] [OPENJDK-3009] hook masked_args into get_java_options for logging Signed-off-by: Jonathan Dowland --- .../run/artifacts/opt/jboss/container/java/run/run-java.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh b/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh index f6029233..c0e05e12 100644 --- a/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh +++ b/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh @@ -264,9 +264,9 @@ startup() { local procname="${JAVA_APP_NAME-java}" - local masked_args=$(mask_passwords "${args}") + local masked_opts=$(mask_passwords "$(get_java_options)") - log_info "exec -a \"${procname}\" java $(get_java_options) -cp \"$(get_classpath)\" ${masked_args} $*" + log_info "exec -a \"${procname}\" java ${masked_opts} -cp \"$(get_classpath)\" ${args} $*" log_info "running in $PWD" exec -a "${procname}" java $(get_java_options) -cp "$(get_classpath)" ${args} $* } From 04f93d0e031a2561f57b69de56f6cd31511d4f42 Mon Sep 17 00:00:00 2001 From: Jonathan Dowland Date: Thu, 2 May 2024 12:09:12 +0100 Subject: [PATCH 3/3] [OPENJDK-3009] Behave test for masking passwords in logs Signed-off-by: Jonathan Dowland --- modules/run/tests/features/run.feature | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 modules/run/tests/features/run.feature diff --git a/modules/run/tests/features/run.feature b/modules/run/tests/features/run.feature new file mode 100644 index 00000000..6416f7a3 --- /dev/null +++ b/modules/run/tests/features/run.feature @@ -0,0 +1,8 @@ +@ubi8 +Feature: OpenJDK run script tests + Scenario: OPENJDK-3009: Ensure command-line options containing 'password' are masked in logs + Given container is started with env + | variable | value | + | JAVA_OPTS_APPEND | -Djavax.net.ssl.trustStorePassword=sensitiveString | + Then container log should not contain sensitiveString +