Re: [PR] Fix `/debugging/config/dump` may leak sensitive information if there are second level properties in the configuration. [skywalking]

Wed, 04 Mar 2026 22:17:04 -0800 


Copilot commented on code in PR #13726:
URL: https://github.com/apache/skywalking/pull/13726#discussion_r2887867279


##########
oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/status/ServerStatusService.java:
##########
@@ -100,19 +101,43 @@ public ConfigList dumpBootingConfigurations(String 
keywords4MaskingSecretsOfConf
                 (providerName, providerConfiguration) ->
                     providerConfiguration.getProperties().forEach(
                         (key, value) -> {
-                            for (final String keyword : keywords) {
-                                if 
(key.toString().toLowerCase().contains(keyword.toLowerCase())) {
-                                    value = "******";
-                                }
+                            if (value instanceof Properties) {
+                                Properties properties = (Properties) value;
+                                properties.forEach((k, v) -> {
+                                    String configKey = moduleName + "." + 
providerName + "." + key + "." + k;
+                                    String configValue = 
maskConfigValue(configKey, v.toString(), keywords);
+                                    configList.put(configKey, configValue);
+                                });
+                            } else {
+                                String configKey = moduleName + "." + 
providerName + "." + key;
+                                String configValue = 
maskConfigValue(key.toString(), value.toString(), keywords);
+                                configList.put(configKey, configValue);
                             }
-                            configList.put(moduleName + "." + providerName + 
"." + key, value.toString());
                         }
                     )
             );
         }
         return configList;
     }
 
+    /**
+     * Mask the configuration value if the key contains any masking keyword.
+     *
+     * @param configKey   the configuration key to check
+     * @param configValue the configuration value to mask
+     * @param keywords    the keywords for masking secrets
+     * @return masked value "******" if key matches any keyword, otherwise 
return the original value
+     */
+    private String maskConfigValue(String configKey, String configValue, 
String[] keywords) {
+        String lowerConfigKey = configKey.toLowerCase();
+        for (String keyword : keywords) {
+            if (lowerConfigKey.contains(keyword.toLowerCase())) {
+                return "******";
+            }
+        }
+        return configValue;
+    }

Review Comment:
   This new logic for handling nested `Properties` and masking sensitive values 
lacks unit test coverage. Other classes in `server-core` have corresponding 
tests (e.g., `SearchableTracesTagsWatcherTest`, 
`ComponentLibraryCatalogFileTest`). Please consider adding a test for 
`dumpBootingConfigurations` that covers: (1) masking of non-nested config 
values, (2) masking of nested `Properties` values, and (3) ensuring 
non-sensitive values are not masked.



##########
oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/status/ServerStatusService.java:
##########
@@ -100,19 +101,43 @@ public ConfigList dumpBootingConfigurations(String 
keywords4MaskingSecretsOfConf
                 (providerName, providerConfiguration) ->
                     providerConfiguration.getProperties().forEach(
                         (key, value) -> {
-                            for (final String keyword : keywords) {
-                                if 
(key.toString().toLowerCase().contains(keyword.toLowerCase())) {
-                                    value = "******";
-                                }
+                            if (value instanceof Properties) {
+                                Properties properties = (Properties) value;
+                                properties.forEach((k, v) -> {
+                                    String configKey = moduleName + "." + 
providerName + "." + key + "." + k;
+                                    String configValue = 
maskConfigValue(configKey, v.toString(), keywords);
+                                    configList.put(configKey, configValue);
+                                });
+                            } else {
+                                String configKey = moduleName + "." + 
providerName + "." + key;
+                                String configValue = 
maskConfigValue(key.toString(), value.toString(), keywords);

Review Comment:
   Bug: Inconsistent key passed to `maskConfigValue` between the nested and 
non-nested branches. 
   
   For nested `Properties` (line 108), you pass the full `configKey` 
(`moduleName + "." + providerName + "." + key + "." + k`) to `maskConfigValue`. 
But for non-nested values (line 113), you pass only `key.toString()` instead of 
the already-computed `configKey` (`moduleName + "." + providerName + "." + 
key`).
   
   This means the masking check behaves differently for the two branches. While 
the original code also only checked against `key`, the refactored nested branch 
now checks against the full path — so these should be consistent. Please pass 
`configKey` instead of `key.toString()` on line 113 to match the behavior of 
the nested case on line 108.
   ```suggestion
                                   String configValue = 
maskConfigValue(configKey, value.toString(), keywords);
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to