From 5013fb6920a4540c022dbda523f7daa2f48af205 Mon Sep 17 00:00:00 2001
From: Zaiming Shi <zmstone@gmail.com>
Date: Sun, 16 May 2021 19:22:38 +0200
Subject: [PATCH] fix(node_dump): obfuscate more secrets

---
 src/emqx.app.src       |  2 +-
 src/emqx.appup.src     |  7 +++++++
 src/emqx_node_dump.erl | 28 ++++++++++++++++++++--------
 3 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/src/emqx.app.src b/src/emqx.app.src
index 449ffd311..b195d7a1b 100644
--- a/src/emqx.app.src
+++ b/src/emqx.app.src
@@ -1,7 +1,7 @@
 {application, emqx,
  [{id, "emqx"},
   {description, "EMQ X"},
-  {vsn, "4.3.1"}, % strict semver, bump manually!
+  {vsn, "4.3.2"}, % strict semver, bump manually!
   {modules, []},
   {registered, []},
   {applications, [kernel,stdlib,gproc,gen_rpc,esockd,cowboy,sasl,os_mon]},
diff --git a/src/emqx.appup.src b/src/emqx.appup.src
index 2cac1e315..937f31eff 100644
--- a/src/emqx.appup.src
+++ b/src/emqx.appup.src
@@ -1,6 +1,9 @@
 %% -*-: erlang -*-
 {VSN,
  [
+   {"4.3.1", [
+     {load_module, emqx_node_dump, brutal_purge, soft_purge, []}
+   ]},
    {"4.3.0", [
      {load_module, emqx_logger_jsonfmt, brutal_purge, soft_purge, []},
      {load_module, emqx_connection, brutal_purge, soft_purge, []},
@@ -12,6 +15,9 @@
    {<<".*">>, []}
  ],
  [
+   {"4.3.1", [
+     {load_module, emqx_node_dump, brutal_purge, soft_purge, []}
+   ]},
    {"4.3.0", [
      {load_module, emqx_logger_jsonfmt, brutal_purge, soft_purge, []},
      {load_module, emqx_connection, brutal_purge, soft_purge, []},
@@ -21,6 +27,7 @@
      %% and 'messages.retained' counter type.
      {load_module, emqx_metrics, brutal_purge, soft_purge, []}
    ]},
+
    {<<".*">>, []}
  ]
 }.
diff --git a/src/emqx_node_dump.erl b/src/emqx_node_dump.erl
index 7134684e1..18189bb57 100644
--- a/src/emqx_node_dump.erl
+++ b/src/emqx_node_dump.erl
@@ -45,16 +45,28 @@ censor(Path, M) when is_map(M) ->
     maps:map(Fun, M);
 censor(Path, L = [Fst|_]) when is_tuple(Fst) ->
     [censor(Path, I) || I <- L];
-censor(Path, Val) ->
-    case Path of
-        [password|_] ->
-            obfuscate_value(Val);
-        [secret|_]  ->
-            obfuscate_value(Val);
-        _ ->
-            Val
+censor([Key | _], Val) ->
+    case is_sensitive(Key) of
+        true -> obfuscate_value(Val);
+        false -> Val
     end.
 
+is_sensitive(Key) when is_atom(Key) ->
+    is_sensitive(atom_to_binary(Key));
+is_sensitive(Key) when is_list(Key) ->
+    try iolist_to_binary(Key) of
+        Bin ->
+            is_sensitive(Bin)
+    catch
+        _ : _ ->
+            false
+    end;
+is_sensitive(Key) when is_binary(Key) ->
+    lists:any(fun(Pattern) -> re:run(Key, Pattern) =/= nomatch end,
+              ["passwd", "password", "secret"]);
+is_sensitive(Key) when is_tuple(Key) ->
+    false.
+
 obfuscate_value(Val) when is_binary(Val) ->
     <<"********">>;
 obfuscate_value(_Val) ->