Merge pull request #4817 from zmstone/fix-nodedump-obfuscate-more

fix(node_dump): obfuscate more secrets
2021-05-17 12:42:38 +02:00 · 2021-05-17 12:42:38 +02:00 · 84293da42f
parent 4cd056cab5 5013fb6920
commit 84293da42f
3 changed files with 28 additions and 9 deletions
--- a/src/emqx.app.src
+++ b/src/emqx.app.src
@ -1,7 +1,7 @@
 {application, emqx,
 [{id, "emqx"},
  {description, "EMQ X"},
-  {vsn, "4.3.1"}, % strict semver, bump manually!
+  {vsn, "4.3.2"}, % strict semver, bump manually!
  {modules, []},
  {registered, []},
  {applications, [kernel,stdlib,gproc,gen_rpc,esockd,cowboy,sasl,os_mon]},
--- a/src/emqx.appup.src
+++ b/src/emqx.appup.src
@ -1,6 +1,9 @@
 %% -*-: erlang -*-
 {VSN,
 [
+   {"4.3.1", [
+     {load_module, emqx_node_dump, brutal_purge, soft_purge, []}
+   ]},
   {"4.3.0", [
     {load_module, emqx_logger_jsonfmt, brutal_purge, soft_purge, []},
     {load_module, emqx_connection, brutal_purge, soft_purge, []},
@ -12,6 +15,9 @@
   {<<".*">>, []}
 ],
 [
+   {"4.3.1", [
+     {load_module, emqx_node_dump, brutal_purge, soft_purge, []}
+   ]},
   {"4.3.0", [
     {load_module, emqx_logger_jsonfmt, brutal_purge, soft_purge, []},
     {load_module, emqx_connection, brutal_purge, soft_purge, []},
@ -21,6 +27,7 @@
     %% and 'messages.retained' counter type.
     {load_module, emqx_metrics, brutal_purge, soft_purge, []}
   ]},
+
   {<<".*">>, []}
 ]
 }.
--- a/src/emqx_node_dump.erl
+++ b/src/emqx_node_dump.erl
@ -45,16 +45,28 @@ censor(Path, M) when is_map(M) ->
    maps:map(Fun, M);
 censor(Path, L = [Fst|_]) when is_tuple(Fst) ->
    [censor(Path, I) || I <- L];
-censor(Path, Val) ->
-    case Path of
-        [password|_] ->
-            obfuscate_value(Val);
-        [secret|_]  ->
-            obfuscate_value(Val);
-        _ ->
-            Val
+censor([Key | _], Val) ->
+    case is_sensitive(Key) of
+        true -> obfuscate_value(Val);
+        false -> Val
    end.

+is_sensitive(Key) when is_atom(Key) ->
+    is_sensitive(atom_to_binary(Key));
+is_sensitive(Key) when is_list(Key) ->
+    try iolist_to_binary(Key) of
+        Bin ->
+            is_sensitive(Bin)
+    catch
+        _ : _ ->
+            false
+    end;
+is_sensitive(Key) when is_binary(Key) ->
+    lists:any(fun(Pattern) -> re:run(Key, Pattern) =/= nomatch end,
+              ["passwd", "password", "secret"]);
+is_sensitive(Key) when is_tuple(Key) ->
+    false.
+
 obfuscate_value(Val) when is_binary(Val) ->
    <<"********">>;
 obfuscate_value(_Val) ->