Avoid logging secrets in jvm arguments (#148)

* Avoid logging secrets * Avoid logging secrets * Avoid logging secrets * Avoid logging secrets * Avoid logging secrets * Avoid logging secrets
memiiso · Nov 10, 2022 · cf25e45 · cf25e45
1 parent a07d01f
commit cf25e45
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 3 deletions.
diff --git a/pom.xml b/pom.xml
@@ -18,7 +18,7 @@
     <packaging>pom</packaging>
 
     <properties>
-        <revision>0.1.0-SNAPSHOT</revision>
+        <revision>0.3.0-SNAPSHOT</revision>
 
         <!-- Instruct the build to use only UTF-8 encoding for source code -->
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

diff --git a/python/debezium/__init__.py b/python/debezium/__init__.py
@@ -1,12 +1,13 @@
 import argparse
-import jnius_config
 import logging
 import os
 import sys
 #####  loggger
 import threading
 from pathlib import Path
 
+import jnius_config
+
 log = logging.getLogger(name="debezium")
 log.setLevel(logging.INFO)
 handler = logging.StreamHandler(sys.stdout)
@@ -63,12 +64,43 @@ def java_home(self, java_home: str):
         os.environ["JAVA_HOME"] = java_home
         log.info("JAVA_HOME set to %s" % java_home)
 
+    def _sanitize(self, jvm_option: str):
+        """Sanitizes jvm argument like `my.property.secret=xyz` if it contains secret.
+        >>> dbz = Debezium()
+        >>> dbz._sanitize("source.pwd=pswd")
+        'source.pwd=*****'
+        >>> dbz._sanitize("source.password=pswd")
+        'source.password=*****'
+        >>> dbz._sanitize("source.secret=pswd")
+        'source.secret=*****'
+        """
+        if any(x in jvm_option.lower() for x in ['pwd', 'password', 'secret', 'apikey', 'apitoken']):
+            head, sep, tail = jvm_option.partition('=')
+            return head + '=*****'
+        else:
+            return jvm_option
+
     # pylint: disable=no-name-in-module
     def run(self, *args: str):
+        """Starts debezium process
+        >>> log.addHandler(logging.StreamHandler(sys.stdout))
+        >>> dbz = Debezium() #doctest:+ELLIPSIS
+        VM Classpath...debezium/*',...debezium/lib/*',...debezium/conf',...jnius/src']
+        >>> try: 
+        ...     dbz.run(*["source.pwd=pswd","source.password=pswd","abc.xyz=123"]) #doctest:+IGNORE_EXCEPTION_DETAIL
+        ... except Exception as e:
+        ...     pass
+        Configured jvm options:['source.pwd=*****', 'source.password=*****', 'abc.xyz=123']
+        >>> dbz.run(*["source.pwd=pswd","source.password=pswd","abc.xyz=123"]) #doctest:+ELLIPSIS
+        Traceback (most recent call last):
+        ...
+        SystemError: JVM failed to start: -1
+        """
 
         try:
             jnius_config.add_options(*args)
-            log.info("Configured jvm options:%s" % jnius_config.get_options())
+            __jvm_options: list = [self._sanitize(p) for p in jnius_config.get_options()]
+            log.info("Configured jvm options:%s" % __jvm_options)
 
             from jnius import autoclass
             DebeziumServer = autoclass('io.debezium.server.Main')