Improve host.json sanitization (#9459)

Azure · Oct 18, 2023 · 46906d2 · 46906d2
1 parent 450b886
commit 46906d2
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 5 deletions.
diff --git a/src/WebJobs.Script/Config/HostJsonFileConfigurationSource.cs b/src/WebJobs.Script/Config/HostJsonFileConfigurationSource.cs
@@ -54,6 +54,8 @@ public class HostJsonFileConfigurationProvider : ConfigurationProvider
                 "customHandler", "httpWorker", "extensions", "concurrency"
             };
 
+            private static readonly string[] CredentialNameFragments = new[] { "password", "pwd", "key", "secret", "token", "sas" };
+
             private readonly HostJsonFileConfigurationSource _configurationSource;
             private readonly Stack<string> _path;
             private readonly ILogger _logger;
@@ -275,14 +277,65 @@ private JObject TryAddBundleConfiguration(JObject content, string bundleId, stri
 
             internal static string SanitizeHostJson(JObject hostJsonObject)
             {
-                JObject sanitizedObject = new JObject();
+                static bool IsPotentialCredential(string name)
+                {
+                    foreach (string fragment in CredentialNameFragments)
+                    {
+                        if (name.Contains(fragment, StringComparison.OrdinalIgnoreCase))
+                        {
+                            return true;
+                        }
+                    }
+
+                    return false;
+                }
+
+                static JToken Sanitize(JToken token)
+                {
+                    if (token is JObject obj)
+                    {
+                        JObject sanitized = new JObject();
+                        foreach (var prop in obj)
+                        {
+                            if (IsPotentialCredential(prop.Key))
+                            {
+                                sanitized[prop.Key] = Sanitizer.SecretReplacement;
+                            }
+                            else
+                            {
+                                sanitized[prop.Key] = Sanitize(prop.Value);
+                            }
+                        }
 
+                        return sanitized;
+                    }
+
+                    if (token is JArray arr)
+                    {
+                        JArray sanitized = new JArray();
+                        foreach (var value in arr)
+                        {
+                            sanitized.Add(Sanitize(value));
+                        }
+
+                        return sanitized;
+                    }
+
+                    if (token.Type == JTokenType.String)
+                    {
+                        return Sanitizer.Sanitize(token.ToString());
+                    }
+
+                    return token;
+                }
+
+                JObject sanitizedObject = new JObject();
                 foreach (var propName in WellKnownHostJsonProperties)
                 {
                     var propValue = hostJsonObject[propName];
                     if (propValue != null)
                     {
-                        sanitizedObject[propName] = propValue;
+                        sanitizedObject[propName] = Sanitize(propValue);
                     }
                 }
 

diff --git a/src/WebJobs.Script/Sanitizer.cs b/src/WebJobs.Script/Sanitizer.cs
@@ -11,7 +11,7 @@ namespace Microsoft.Azure.WebJobs.Logging
     // Note: This file is shared between the WebJobs SDK and Script repos. Update both if changes are needed.
     internal static class Sanitizer
     {
-        private const string SecretReplacement = "[Hidden Credential]";
+        public const string SecretReplacement = "[Hidden Credential]";
         private static readonly char[] ValueTerminators = new char[] { '<', '"', '\'' };
 
         // List of keywords that should not be replaced with [Hidden Credential]

diff --git a/test/WebJobs.Script.Tests/Configuration/HostJsonFileConfigurationSourceTests.cs b/test/WebJobs.Script.Tests/Configuration/HostJsonFileConfigurationSourceTests.cs
@@ -160,7 +160,22 @@ public void Initialize_Sanitizes_HostJsonLog()
                 'logging': {
                     'categoryFilter': {
                         'defaultLevel': 'Information'
-                    }
+                    },
+                    'applicationInsights': {
+                        'prop': 'Hey=AS1$@%#$%W-k2j"";SharedAccessKey=foo,Data Source=barzons,Server=bathouse""testing',
+                        'values': [ 'plain', 10, 'Password=hunter2' ],
+                        'sampleSettings': {
+                            'my-password': 'hunter2',
+                            'service_token': 'token',
+                            'StorageSas': 'access'
+                        }
+                    },
+                    'prop': 'Hey=AS1$@%#$%W-k2j"";SharedAccessKey=foo,Data Source=barzons,Server=bathouse""testing',
+                    'values': [ 'plain', 10, 'Password=hunter2' ],
+                    'my-password': 'hunter2',
+                    'service_token': 'token',
+                    'StorageSas': 'access',
+                    'aSecret': { 'value1': 'value' }
                 },
                 'Values': {
                     'MyCustomValue': 'abc'
@@ -182,7 +197,22 @@ public void Initialize_Sanitizes_HostJsonLog()
                 'logging': {
                     'categoryFilter': {
                         'defaultLevel': 'Information'
-                    }
+                    },
+                    'applicationInsights': {
+                        'prop': 'Hey=AS1$@%#$%W-k2j"";[Hidden Credential]""testing',
+                        'values': [ 'plain', 10, '[Hidden Credential]' ],
+                        'sampleSettings': {
+                            'my-password': '[Hidden Credential]',
+                            'service_token': '[Hidden Credential]',
+                            'StorageSas': '[Hidden Credential]'
+                        }
+                    },
+                    'prop': 'Hey=AS1$@%#$%W-k2j"";[Hidden Credential]""testing',
+                    'values': [ 'plain', 10, '[Hidden Credential]' ],
+                    'my-password': '[Hidden Credential]',
+                    'service_token': '[Hidden Credential]',
+                    'StorageSas': '[Hidden Credential]',
+                    'aSecret': '[Hidden Credential]'
                 }
             }";