tweak jdbc redaction (#1490)

JDBC redaction could fail in some irritating edge cases involving passwords that contain the @ character. The logic has been tweaked to eliminate these cases and some tests have been added.
2024-11-10 15:14:38 +00:00 · 2023-07-17 11:04:12 -04:00 · 2023-07-17 11:04:12 -04:00 · ee814a67bd
commit ee814a67bd
parent 17b90b32d0
2 changed files with 51 additions and 5 deletions
--- a/pkg/detectors/jdbc/jdbc.go
+++ b/pkg/detectors/jdbc/jdbc.go
@ -101,15 +101,15 @@ matchLoop:
 }

 func tryRedactAnonymousJDBC(conn string) string {
-	if s, ok := tryRedactBasicAuth(conn); ok {
-		return s
-	}
 	if s, ok := tryRedactURLParams(conn); ok {
 		return s
 	}
 	if s, ok := tryRedactODBC(conn); ok {
 		return s
 	}
+	if s, ok := tryRedactBasicAuth(conn); ok {
+		return s
+	}
 	if s, ok := tryRedactRegex(conn); ok {
 		return s
 	}
@ -158,8 +158,8 @@ func tryRedactODBC(conn string) (string, bool) {
 	var found bool
 	var newParams []string
 	for _, param := range strings.Split(conn, ";") {
-		key, val, _ := strings.Cut(param, "=")
-		if strings.Contains(strings.ToLower(key), "pass") {
+		key, val, isKvp := strings.Cut(param, "=")
+		if isKvp && strings.Contains(strings.ToLower(key), "pass") {
 			newParams = append(newParams, key+"="+strings.Repeat("*", len(val)))
 			found = true
 			continue
--- a/pkg/detectors/jdbc/jdbc_test.go
+++ b/pkg/detectors/jdbc/jdbc_test.go
@ -5,6 +5,7 @@ package jdbc

 import (
 	"context"
+	"github.com/stretchr/testify/assert"
 	"os"
 	"testing"

@ -207,6 +208,51 @@ func TestJdbc_FromDataWithIgnorePattern(t *testing.T) {
 	}
 }

+func TestJdbc_Redact(t *testing.T) {
+	tests := []struct {
+		name string
+		conn string
+		want string
+	}{
+		{
+			name: "basic auth'",
+			conn: "//user:secret@tcp(127.0.0.1:3306)/",
+			want: "//user:******@tcp(127.0.0.1:3306)/",
+		},
+		{
+			name: "basic auth including raw string 'pass'",
+			conn: "//wrongUser:wrongPass@tcp(127.0.0.1:3306)/",
+			want: "//wrongUser:*********@tcp(127.0.0.1:3306)/",
+		},
+		{
+			name: "basic auth including raw string 'pass' with unfortunate db name",
+			conn: "//wrongUser:wrongPass@tcp(127.0.0.1:3306)/passwords",
+			want: "//wrongUser:*********@tcp(127.0.0.1:3306)/passwords",
+		},
+		{
+			name: "url param-style",
+			conn: "jdbc:postgresql://localhost:5432/foo?sslmode=disable&password=p@ssw04d",
+			want: "jdbc:postgresql://localhost:5432/foo?sslmode=disable&password=********",
+		},
+		{
+			name: "odbc-style without server",
+			conn: "//odbc:server=localhost;user id=sa;database=master;password=/p?s=sw&rd",
+			want: "//odbc:server=localhost;user id=sa;database=master;password=**********",
+		},
+		{
+			name: "odbc-style with server",
+			conn: "jdbc:sqlserver://a.b.c.net;database=database-name;spring.datasource.password=super-secret-password",
+			want: "jdbc:sqlserver://a.b.c.net;database=database-name;spring.datasource.password=*********************",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tryRedactAnonymousJDBC(tt.conn)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
 func BenchmarkFromData(benchmark *testing.B) {
 	ctx := context.Background()
 	s := Scanner{}