[CAMEL-17452] camel-util - URISupport#sanitizeUri sanitizes passwords incorrectly if remaining uri contains expression ${<expr>} - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.14.0
Fix Version/s: 3.14.1, 3.15.0
Component/s: camel-core
Labels:
None

Estimated Complexity:
Unknown

Description

The following unit test demonstrates the problem with URISupport#sanitize:

    @Test
    public void testSanitizeUriWithRawPasswordAndSimpleExpression() {
        String uriPlain = "http://foo?username=me&password=RAW(me#@123)&foo=bar&port=21&tempFileName=${file:name.noext}.tmp&anotherOption=true";
        String uriCurly = "http://foo?username=me&password=RAW{me#@123}&foo=bar&port=21&tempFileName=${file:name.noext}.tmp&anotherOption=true";
        String expected = "http://foo?username=me&password=xxxxxx&foo=bar&port=21&tempFileName=${file:name.noext}.tmp&anotherOption=true";
        // "http://foo?username=me&password=xxxxxx.tmp&anotherOption=true" is the actual result
        assertEquals(expected, URISupport.sanitizeUri(uriPlain));
        assertEquals(expected, URISupport.sanitizeUri(uriCurly));
    }

The problem is that the SECRETS pattern in URISupport eagerly eats everything up until the ending of ${file:name.noext}.

It can be resolved by changing the regex-pattern, like so:

private static final Pattern SECRETS = Pattern.compile(
            "([?&][^=]*(?:passphrase|password|secretKey|accessToken|clientSecret|authorizationToken|saslJaasConfig)[^=]*)=(RAW(([{][^}]*[}])|([(][^)]*[)]))|[^&]*)",
            Pattern.CASE_INSENSITIVE);