Merge pull request #9405 from lafirest/fix/pass_leak

fix: hide sensitive data in some logs
2022-11-22 19:21:26 +08:00 · 2022-11-22 19:21:26 +08:00 · c3e80329ae
parent 38980ffd9e 0d2f1eb49e
commit c3e80329ae
4 changed files with 36 additions and 14 deletions
--- a/apps/emqx_coap/src/emqx_coap_mqtt_adapter.erl
+++ b/apps/emqx_coap/src/emqx_coap_mqtt_adapter.erl
@ -120,7 +120,7 @@ call(Pid, Msg, _) ->

 init({ClientId, Username, Password, Channel}) ->
    ?LOG(debug, "try to start adapter ClientId=~p, Username=~p, Password=~p, "
-                "Channel=~0p", [ClientId, Username, Password, Channel]),
+                "Channel=~0p", [ClientId, Username, "******", Channel]),
    State0 = #state{peername = Channel,
                    clientid = ClientId,
                    username = Username,
--- a/apps/emqx_coap/src/emqx_coap_resource.erl
+++ b/apps/emqx_coap/src/emqx_coap_resource.erl
@ -48,7 +48,7 @@ coap_discover(_Prefix, _Args) ->
    [{absolute, [<<"mqtt">>], []}].

 coap_get(ChId, ?MQTT_PREFIX, Path, Query, _Content) ->
-    ?LOG(debug, "coap_get() Path=~p, Query=~p~n", [Path, Query]),
+    ?LOG(debug, "coap_get() Path=~p, Query=~p~n", [Path, redact_query(Query)]),
    #coap_mqtt_auth{clientid = Clientid, username = Usr, password = Passwd} = get_auth(Query),
    case emqx_coap_mqtt_adapter:client_pid(Clientid, Usr, Passwd, ChId) of
        {ok, Pid} ->
@ -65,7 +65,8 @@ coap_get(ChId, ?MQTT_PREFIX, Path, Query, _Content) ->
            {error, internal_server_error}
    end;
 coap_get(ChId, Prefix, Path, Query, _Content) ->
-    ?LOG(error, "ignore bad get request ChId=~p, Prefix=~p, Path=~p, Query=~p", [ChId, Prefix, Path, Query]),
+    ?LOG(error, "ignore bad get request ChId=~p, Prefix=~p, Path=~p, Query=~p",
+         [ChId, Prefix, Path, redact_query(Query)]),
    {error, bad_request}.

 coap_post(_ChId, _Prefix, _Topic, _Content) ->
@ -149,3 +150,10 @@ topic([Path | TopicPath]) ->
            <<Path/binary, $/, RemTopic/binary>>
    end.

+redact_query(Auths) ->
+    lists:map(fun(<<$p, $=, _Rest/binary>>) ->
+                      <<$p, $=, "******">>;
+                 (E) ->
+                      E
+              end,
+              Auths).
--- a/apps/emqx_exproto/src/emqx_exproto.appup.src
+++ b/apps/emqx_exproto/src/emqx_exproto.appup.src
@ -1,17 +1,24 @@
 %% -*- mode: erlang -*-
 %% Unless you know what you are doing, DO NOT edit manually!!
 {VSN,
-  [{"4.3.12",[{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]}]},
-   {"4.3.11",[{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]}]},
+  [{"4.3.12",
+    [{load_module,emqx_exproto_gsvr,brutal_purge,soft_purge,[]},
+     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]}]},
+   {"4.3.11",
+    [{load_module,emqx_exproto_gsvr,brutal_purge,soft_purge,[]},
+     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]}]},
   {"4.3.10",
-    [{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
+    [{load_module,emqx_exproto_gsvr,brutal_purge,soft_purge,[]},
+     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_channel,brutal_purge,soft_purge,[]}]},
   {"4.3.9",
-    [{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
+    [{load_module,emqx_exproto_gsvr,brutal_purge,soft_purge,[]},
+     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_channel,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_gcli,brutal_purge,soft_purge,[]}]},
   {<<"4\\.3\\.[2-8]">>,
-    [{load_module,emqx_exproto_gcli,brutal_purge,soft_purge,[]},
+    [{load_module,emqx_exproto_gsvr,brutal_purge,soft_purge,[]},
+     {load_module,emqx_exproto_gcli,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_channel,brutal_purge,soft_purge,[]}]},
   {<<"4\\.3\\.[0-1]">>,
@ -20,17 +27,24 @@
     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_channel,brutal_purge,soft_purge,[]}]},
   {<<".*">>,[]}],
-  [{"4.3.12",[{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]}]},
-   {"4.3.11",[{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]}]},
+  [{"4.3.12",
+    [{load_module,emqx_exproto_gsvr,brutal_purge,soft_purge,[]},
+     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]}]},
+   {"4.3.11",
+    [{load_module,emqx_exproto_gsvr,brutal_purge,soft_purge,[]},
+     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]}]},
   {"4.3.10",
-    [{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
+    [{load_module,emqx_exproto_gsvr,brutal_purge,soft_purge,[]},
+     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_channel,brutal_purge,soft_purge,[]}]},
   {"4.3.9",
-    [{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
+    [{load_module,emqx_exproto_gsvr,brutal_purge,soft_purge,[]},
+     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_channel,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_gcli,brutal_purge,soft_purge,[]}]},
   {<<"4\\.3\\.[2-8]">>,
-    [{load_module,emqx_exproto_gcli,brutal_purge,soft_purge,[]},
+    [{load_module,emqx_exproto_gsvr,brutal_purge,soft_purge,[]},
+     {load_module,emqx_exproto_gcli,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
     {load_module,emqx_exproto_channel,brutal_purge,soft_purge,[]}]},
   {<<"4\\.3\\.[0-1]">>,
--- a/apps/emqx_exproto/src/emqx_exproto_gsvr.erl
+++ b/apps/emqx_exproto/src/emqx_exproto_gsvr.erl
@ -60,7 +60,7 @@ close(Req = #{conn := Conn}, Md) ->
 authenticate(Req = #{conn := Conn,
                     password := Password,
                     clientinfo := ClientInfo}, Md) ->
-    ?LOG(debug, "Recv ~p function with request ~0p", [?FUNCTION_NAME, Req]),
+    ?LOG_SENSITIVE(debug, "Recv ~p function with request ~0p", [?FUNCTION_NAME, Req]),
    case validate(clientinfo, ClientInfo) of
        false ->
            {ok, response({error, ?RESP_REQUIRED_PARAMS_MISSED}), Md};