[jira] [Updated] (CXF-8691) Logging Feature - Sensitive element with arrays

Wed, 06 Mar 2024 03:58:32 -0800 


     [ 
https://issues.apache.org/jira/browse/CXF-8691?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated CXF-8691:
-------------------------------------
    Fix Version/s: 4.0.5
                       (was: 4.0.4)

> Logging Feature - Sensitive element with arrays
> -----------------------------------------------
>
>                 Key: CXF-8691
>                 URL: https://issues.apache.org/jira/browse/CXF-8691
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 3.4.0, 3.5.1
>            Reporter: Daniel
>            Assignee: Andriy Redko
>            Priority: Minor
>              Labels: Logging
>             Fix For: 3.5.8, 3.6.3, 4.0.5
>
>
> Hi,
> I am trying to use the LoggingFeature within cxf-rt and hide sensitive 
> element names.
> The code I use looks like the following:
>  
> {code:java}
> LoggingFeature loggingFeature = new LoggingFeature();
> loggingFeature.setLogBinary(false);
> loggingFeature.setPrettyLogging(true);
> loggingFeature.setLogMultipart(false);
> loggingFeature.addSensitiveElementNames(new 
> HashSet<>(Arrays.asList("password")));
>  {code}
> Payload:
> {code:java}
> private final String shortName;
> private final char[] password;
> {code}
>  
> Output:
>  
> {code:java}
> [services.MyWebservicePort.REQ_OUT] INFO  - REQ_OUT
>     Address: http://<some-url>
>     HttpMethod: POST
>     Content-Type: application/json
>     ExchangeId: 560b73ae-e7e0-4687-9674-19ee72995a08
>     Headers: {Accept=text/plain, Accept-Encoding=gzip;q=1.0, identity; q=0.5, 
> *;q=0, Content-Type=application/json}
>     Payload: 
> {"shortName":"UserName","password":["G","e","h","e","i","m","1","2","3","!"]} 
> {code}
> As you can see, my password is not hidden in the output of the payload. It is 
> important to mention, that the field "password" in my code is declared as a 
> char-array.
> However, if I add "shortName" to the sensetiveElementNames, everything works 
> as expected. The shortName is hidden (XXX), due to it beeing declared as a 
> String.
> I looked at the source code an tracked the problem down to a regex. 
> "password" is not found, as the value is an array (MarkSensetiveHelper.java)
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to