New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes to MiqPassword.sanitize_string to support URL encoded password. #373
Conversation
@@ -88,6 +89,10 @@ def self.sanitize_string!(s) | |||
s.gsub!(REGEXP, '********') | |||
end | |||
|
|||
def self.sanitize_encoded_string(s) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lfu Since there can be many kinds of encoding (base64, url) Should we call this function sanitize_url_encoded_string?
@@ -7,6 +7,7 @@ class MiqPasswordError < StandardError; end | |||
|
|||
CURRENT_VERSION = "2" | |||
REGEXP = /v([0-9]+):\{([^}]*)\}/ | |||
REGEXP_V2_ENCODED = /v([0-9]+)%3A%7B(.*?)%7D/ # for URL encoded string of "v2:{...}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the V2
should be removed from the name since the regex supports v*
. Maybe REGEXP_URL_ENCODED
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why (.*?)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, we probably don't need the capture groups since we would have to URI decode the string before we could do anything with those values
@@ -88,6 +89,10 @@ def self.sanitize_string!(s) | |||
s.gsub!(REGEXP, '********') | |||
end | |||
|
|||
def self.sanitize_encoded_string(s) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason to add a new method rather than add this support to the two existing methods above?
a5b6f38
to
6b4d903
Compare
Looking Good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We had plans to have versions of the passwords above v2 - but that is where it stopped and will always stop.
We no longer support anything other than v2, but taking that into account looks like it would change too many specs and be out of scope for this BZ.
I worry about having REGEXP
and REGEXP_PASSWORD
- but I can see how having a special purpose for cleaning urls may be desired. If not, please have sanitize_string
and sanitize_string!
use the same regular expression.
All in all, @lfu this is looking good.
Thanks @bdunne for the reviewing here, too.
@@ -7,6 +7,7 @@ class MiqPasswordError < StandardError; end | |||
|
|||
CURRENT_VERSION = "2" | |||
REGEXP = /v([0-9]+):\{([^}]*)\}/ | |||
REGEXP_PASSWORD = /v[0-9]+(:\{[^}]*\}|%3A%7B.*?%7D)/ # for "v2:{...}" or its URL encoded string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd feel a little more comfortable here with the .*
being swapped out for a clause that will be more restrictive.
Since it is base64 encoded the valid characters are [A-Za-z+/=]
but a simple [^%]
will suffice.
Also the ?
in the .*?
looks funny to me. Is that for a blank password?
I think the simplest regex would be:
REGEXP_URL_ENCODED = /v[0-2](:\{[^}]*\}|%3A%7B[^%]*%7D)
REGEXP_PASSWORD
really doesn't tell you anything. Granted, REGEXP
is a bad name, as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.*?
is for non-greedy match.
+/=
become %2B%2F%3D
after URL encoded. So [^%]*
would not work for +/=
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Naming is always hard. REGEXP_URL_ENCODED
was my first try. But actually only the 2nd part of the REGEX is for URL encoded password. The first part is just for an encrypted password.
If REGEXP_URL_ENCODED
is preferred, I can certainly rename it.
@@ -7,6 +7,7 @@ class MiqPasswordError < StandardError; end | |||
|
|||
CURRENT_VERSION = "2" | |||
REGEXP = /v([0-9]+):\{([^}]*)\}/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if simplifying this regex would simplify your main goal.
REGEXP = `/v([0-2]):\{([^}]*)\}/`
I could not think of a use case where the change of |
Just for API consistency. |
6b4d903
to
6721dbe
Compare
@miq-bot add_label blocker |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just the one change with the +
and I'm +1
@bdunne you good with this now?
@@ -6,7 +6,8 @@ class MiqPassword | |||
class MiqPasswordError < StandardError; end | |||
|
|||
CURRENT_VERSION = "2" | |||
REGEXP = /v([0-9]+):\{([^}]*)\}/ | |||
REGEXP = /v([0-2]+):\{([^}]*)\}/ | |||
REGEXP_PASSWORD = /v[0-2]+(:\{[^}]*\}|%3A%7B.*?%7D)/ # for "v2:{...}" or its URL encoded string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you remove the +
for both of these?
Also, I'd feel more comfortable with a [^%]*
over .*?
- but keeping with the lazy match and over matching is probably not the end of the world.
I'm punting on the name change. keep it REGEXP_PASSWORD
end | ||
|
||
def self.sanitize_string!(s) | ||
s.gsub!(REGEXP, '********') | ||
s.gsub!(REGEXP_PASSWORD, '********') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thnx
spec/util/miq-password_spec.rb
Outdated
@@ -212,8 +212,10 @@ | |||
end | |||
|
|||
it ".sanitize_string" do | |||
expect(MiqPassword.sanitize_string!("some :password: v1:{XAWlcAlViNwB} and another :password: v2:{egr+hObB}")).to eq( | |||
expect(MiqPassword.sanitize_string("some :password: v1:{XAWlcAlViNwB} and another :password: v2:{egr+hObB}")).to eq( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch
6721dbe
to
8b260c9
Compare
@lfu Can you take care of the rubocop comment? |
8b260c9
to
744d4c9
Compare
Checked commit lfu@744d4c9 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm good with this - you all set @bdunne ?
Changes to MiqPassword.sanitize_string to support URL encoded password. (cherry picked from commit 2fa61e9) https://bugzilla.redhat.com/show_bug.cgi?id=1619385
Hammer backport details:
|
Changes to MiqPassword.sanitize_string to support URL encoded password. (cherry picked from commit 2fa61e9) https://bugzilla.redhat.com/show_bug.cgi?id=1634808
Gaprindashvili backport details:
|
To hide the encoded password value in URL encoded string with
*******
.Blocks ManageIQ/manageiq-automation_engine#228.
https://bugzilla.redhat.com/show_bug.cgi?id=1619385
@miq-bot add_label bug, gaprindashvili/yes
cc @gmcculloug @bdunne
Before:
After: