From ad4641b6fdec0a4073212578ed22f82da392fb6d Mon Sep 17 00:00:00 2001
From: Joao Duarte <jsvduarte@gmail.com>
Date: Thu, 31 Mar 2016 12:43:47 +0100
Subject: [PATCH 1/2] ensure Plugin#original_params is obfuscated

---
 logstash-core/lib/logstash/config/mixin.rb       | 7 ++++++-
 logstash-core/spec/logstash/config/mixin_spec.rb | 4 ++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/logstash-core/lib/logstash/config/mixin.rb b/logstash-core/lib/logstash/config/mixin.rb
index bd8b4dfc92e..dfda6016a12 100644
--- a/logstash-core/lib/logstash/config/mixin.rb
+++ b/logstash-core/lib/logstash/config/mixin.rb
@@ -53,7 +53,7 @@ def config_init(params)
     # Keep a copy of the original config params so that we can later
     # differentiate between explicit configuration and implicit (default)
     # configuration.
-    @original_params = params.clone
+    original_params = params.clone
     
     # store the plugin type, turns LogStash::Inputs::Base into 'input'
     @plugin_type = self.class.ancestors.find { |a| a.name =~ /::Base$/ }.config_name
@@ -142,6 +142,11 @@ def config_init(params)
       instance_variable_set("@#{key}", value)
     end
 
+    # now that we know the parameters are valid, we can obfuscate the original copy
+    # of the parameters before storing them as an instance variable
+    self.class.validate_check_parameter_values(original_params)
+    @original_params = original_params
+
     @config = params
   end # def config_init
 
diff --git a/logstash-core/spec/logstash/config/mixin_spec.rb b/logstash-core/spec/logstash/config/mixin_spec.rb
index 2a9bb8ac3d5..f801336cf0d 100644
--- a/logstash-core/spec/logstash/config/mixin_spec.rb
+++ b/logstash-core/spec/logstash/config/mixin_spec.rb
@@ -96,6 +96,10 @@
       clone = subject.class.new(subject.params)
       expect(clone.password.value).to(be == secret)
     end
+
+    it "should obfuscate original_params" do
+      expect(subject.original_params['password']).to(be_a(LogStash::Util::Password))
+    end
   end
 
   describe "obsolete settings" do

From b3d02b4ad3318f537ceede2bdf3777ab8c8ae2f5 Mon Sep 17 00:00:00 2001
From: Joao Duarte <jsvduarte@gmail.com>
Date: Thu, 31 Mar 2016 16:24:52 +0100
Subject: [PATCH 2/2] avoid reusing generic validation method during params
 securization

---
 logstash-core/lib/logstash/config/mixin.rb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/logstash-core/lib/logstash/config/mixin.rb b/logstash-core/lib/logstash/config/mixin.rb
index dfda6016a12..5b17faa4c5a 100644
--- a/logstash-core/lib/logstash/config/mixin.rb
+++ b/logstash-core/lib/logstash/config/mixin.rb
@@ -144,7 +144,7 @@ def config_init(params)
 
     # now that we know the parameters are valid, we can obfuscate the original copy
     # of the parameters before storing them as an instance variable
-    self.class.validate_check_parameter_values(original_params)
+    self.class.secure_params!(original_params)
     @original_params = original_params
 
     @config = params
@@ -542,6 +542,14 @@ def validate_value(value, validator)
       return true, result
     end # def validate_value
 
+    def secure_params!(params)
+      params.each do |key, value|
+        if @config[key][:validate] == :password && !value.is_a?(::LogStash::Util::Password)
+          params[key] = ::LogStash::Util::Password.new(value)
+        end
+      end
+    end
+
     def hash_or_array(value)
       if !value.is_a?(Hash)
         value = [*value] # coerce scalar to array if necessary