fix: fully mask passwords in logfile (DEV-3225) (#761)

dasch-swiss · Jan 24, 2024 · 87c03d4 · 87c03d4
1 parent f97cce8
commit 87c03d4
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/src/dsp_tools/utils/connection_live.py b/src/dsp_tools/utils/connection_live.py
@@ -307,12 +307,12 @@ def _anonymize(self, data: dict[str, Any] | None) -> dict[str, Any] | None:
             if match := regex.search(r"^Bearer (.+)", data["Authorization"]):
                 data["Authorization"] = f"Bearer {self._mask(match.group(1))}"
         if "password" in data:
-            data["password"] = self._mask(data["password"])
+            data["password"] = "*" * len(data["password"])
         return data
 
     def _mask(self, sensitive_info: str) -> str:
         unmasked_until = 5
-        if len(sensitive_info) <= unmasked_until:
+        if len(sensitive_info) <= unmasked_until * 2:
             return "*" * len(sensitive_info)
         else:
             return f"{sensitive_info[:unmasked_until]}[+{len(sensitive_info) - unmasked_until}]"

diff --git a/test/unittests/utils/test_connection_live.py b/test/unittests/utils/test_connection_live.py
@@ -8,7 +8,7 @@ def test_anonymize_different_keys() -> None:
     assert con._anonymize({"token": "uk7m20-8gqn8"}) == {"token": "uk7m2[+7]"}
     assert con._anonymize({"Set-Cookie": "uk7m20-8gqn8"}) == {"Set-Cookie": "uk7m2[+7]"}
     assert con._anonymize({"Authorization": "Bearer uk7m20-8gqn8"}) == {"Authorization": "Bearer uk7m2[+7]"}
-    assert con._anonymize({"password": "uk7m20-8gqn8"}) == {"password": "uk7m2[+7]"}
+    assert con._anonymize({"password": "uk7m20-8gqn8"}) == {"password": "************"}
 
 
 def test_anonymize_doesnt_mutate_original() -> None: