[jira] [Commented] (CASSANDRA-16801) PasswordObfuscator should not assume PASSWORD is the last item in the WITH clause

Thu, 28 Oct 2021 01:07:06 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-16801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17435236#comment-17435236
 ] 

Berenguer Blasi commented on CASSANDRA-16801:
---------------------------------------------

Info for the reviewer:

Luckily antlr was already moving the password around in a DTO {{RoleOptions}}. 
So the new logic is applied whenever possible and uses the previous logic as a 
fallback.

Interesting corner case I found where {{testp}} is being revealed #justfyi
{{Type: audit
LogMessage: 
user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:41278|timestamp:1635328638577|type:REQUEST_FAILURE|category:ERROR|operation:create
 user 'test' with password *******; line 1:33 mismatched input 'testp' 
expecting STRING_LITERAL (create user 'test' with password *******
}}

> PasswordObfuscator should not assume PASSWORD is the last item in the WITH 
> clause
> ---------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-16801
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16801
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Tool/auditlogging
>            Reporter: Caleb Rackliffe
>            Assignee: Berenguer Blasi
>            Priority: Normal
>             Fix For: 4.0.x, 4.x
>
>
> CASSANDRA-16669 introduced support for obfuscating passwords for audit log 
> statements, but there are a few cases where the obfuscation logic can destroy 
> some of the contents of the original/provided string.
> ex. This is perfectly valid...
> {noformat}
> WITH LOGIN = false AND PASSWORD = 'bar' AND SUPERUSER = false
> {noformat}
> ...but calling obfuscate() on it will produce...
> {noformat}
> WITH LOGIN = false AND PASSWORD *******
> {noformat}
> -We should be able to create a reasonable RegEx and use String#replaceAll() 
> to both simplify and correct PasswordObfuscator#obfuscate().-



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to