From 1e9760130b29e39c52f45fb20a9f1378461949b5 Mon Sep 17 00:00:00 2001 From: Geoff Bourne Date: Sun, 14 Jul 2024 09:38:19 -0500 Subject: [PATCH 1/2] http: avoid logging user info from URLs --- .../itzg/helpers/http/FetchBuilderBase.java | 32 ++++++++++++++++--- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/src/main/java/me/itzg/helpers/http/FetchBuilderBase.java b/src/main/java/me/itzg/helpers/http/FetchBuilderBase.java index 3d5cac64..e8ea2539 100644 --- a/src/main/java/me/itzg/helpers/http/FetchBuilderBase.java +++ b/src/main/java/me/itzg/helpers/http/FetchBuilderBase.java @@ -8,6 +8,7 @@ import io.netty.handler.codec.http.HttpStatusClass; import io.netty.handler.codec.http.HttpUtil; import java.net.URI; +import java.net.URISyntaxException; import java.nio.charset.StandardCharsets; import java.nio.file.Path; import java.time.ZoneId; @@ -47,6 +48,7 @@ public class FetchBuilderBase> { static protected class State { private final SharedFetch sharedFetch; private final URI uri; + private final String userInfo; public String userAgentCommand; private Set acceptContentTypes; private final Map requestHeaders = new HashMap<>(); @@ -54,7 +56,28 @@ static protected class State { State(URI uri, SharedFetch sharedFetch) { // Netty seems to half-way URL encode paths that have unicode, // so instead we'll pre-"encode" the URI - this.uri = URI.create(uri.toASCIIString()); + final URI encoded = URI.create(uri.toASCIIString()); + + if (uri.getRawUserInfo() != null) { + this.userInfo = uri.getRawUserInfo(); + try { + this.uri = new URI( + encoded.getScheme(), + encoded.getRawUserInfo().replaceFirst(":.*", ":***"), + encoded.getHost(), + encoded.getPort(), + encoded.getPath(), + encoded.getQuery(), + encoded.getFragment() + ); + } catch (URISyntaxException e) { + throw new GenericException("Failed to redact user info", e); + } + } + else { + this.userInfo = null; + this.uri = encoded; + } this.sharedFetch = sharedFetch; } } @@ -242,12 +265,13 @@ protected void applyHeaders(io.netty.handler.codec.http.HttpHeaders headers) { ); } - final String rawUserInfo = state.uri.getRawUserInfo(); - if (rawUserInfo != null) { + if (state.userInfo != null) { headers.set( AUTHORIZATION.toString(), "Basic " + - Base64.getEncoder().encodeToString(rawUserInfo.getBytes(StandardCharsets.UTF_8)) + Base64.getEncoder().encodeToString( + state.userInfo.getBytes(StandardCharsets.UTF_8) + ) ); } From 52701b73f16aa092e8af8ed70013e21f74f1c03e Mon Sep 17 00:00:00 2001 From: Geoff Bourne Date: Sun, 14 Jul 2024 09:42:01 -0500 Subject: [PATCH 2/2] Just show first letter of username --- src/main/java/me/itzg/helpers/http/FetchBuilderBase.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/me/itzg/helpers/http/FetchBuilderBase.java b/src/main/java/me/itzg/helpers/http/FetchBuilderBase.java index e8ea2539..543d5ec0 100644 --- a/src/main/java/me/itzg/helpers/http/FetchBuilderBase.java +++ b/src/main/java/me/itzg/helpers/http/FetchBuilderBase.java @@ -63,7 +63,8 @@ static protected class State { try { this.uri = new URI( encoded.getScheme(), - encoded.getRawUserInfo().replaceFirst(":.*", ":***"), + // just show first letter of username for sanity confirmation + encoded.getRawUserInfo().charAt(0) + "***:***", encoded.getHost(), encoded.getPort(), encoded.getPath(),