[jira] [Updated] (CXF-9067) MaskSensitiveHelper incorrectly masks wrapper element

Mon, 14 Oct 2024 07:31:05 -0700 


     [ 
https://issues.apache.org/jira/browse/CXF-9067?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Daniel Holm updated CXF-9067:
-----------------------------
    Description: 
The regex in MaskSensitiveHelper matching possible xml attributes is too 
relaxed, and will match wrappers starting with the same characters as the 
sensitive element.

 

This f.ex does not correctly mask the password element:
{code:java}
maskSensitiveHelper.addSensitiveElementNames(Set.of("password")) {code}
raw data:
{code:java}
<passwords><password>my secret password</password></passwords> {code}
expected:
{code:java}
<passwords><password>XXX</password></passwords>{code}
actual:
{code:java}
<passwords>XXX</password></passwords>{code}
 

 

  was:
The regex in MaskSensitiveHelper matching possible xml attributes is too 
relaxed, and will match wrappers starting with the same characters as the 
sensitive element.

 

This f.ex does not correctly mask the password element:
{code:java}
maskSensitiveHelper.addSensitiveElementNames(Set.of("password")) {code}
raw data:

 
{code:java}
<passwords><password>my secret password</password></passwords> {code}
expected:

 

 
{code:java}
<passwords><password>XXX</password></passwords>{code}
 

actual:

 
{code:java}
<passwords>XXX</password></passwords>{code}
 

 


> MaskSensitiveHelper incorrectly masks wrapper element
> -----------------------------------------------------
>
>                 Key: CXF-9067
>                 URL: https://issues.apache.org/jira/browse/CXF-9067
>             Project: CXF
>          Issue Type: Bug
>          Components: logging
>    Affects Versions: 4.0.5
>            Reporter: Daniel Holm
>            Priority: Minor
>              Labels: bug, logging
>   Original Estimate: 0.25h
>  Remaining Estimate: 0.25h
>
> The regex in MaskSensitiveHelper matching possible xml attributes is too 
> relaxed, and will match wrappers starting with the same characters as the 
> sensitive element.
>  
> This f.ex does not correctly mask the password element:
> {code:java}
> maskSensitiveHelper.addSensitiveElementNames(Set.of("password")) {code}
> raw data:
> {code:java}
> <passwords><password>my secret password</password></passwords> {code}
> expected:
> {code:java}
> <passwords><password>XXX</password></passwords>{code}
> actual:
> {code:java}
> <passwords>XXX</password></passwords>{code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to