[Rt-commit] rt branch, 5.0/redact_nested_credentials_configuration, created. rt-5.0.0-3-g19a336864e

Aaron Trevena ast at bestpractical.com
Thu Aug 6 15:08:18 EDT 2020 

The branch, 5.0/redact_nested_credentials_configuration has been created
        at  19a336864eedf3ea19416c5b98809f2f5e498d38 (commit)

- Log -----------------------------------------------------------------
commit c2efd5aa1ad7cf76503e82551d1fbe7b73387d53
Author: Aaron Trevena <ast at bestpractical.com>
Date:   Tue Jan 14 17:59:53 2020 +0000

    Added helpers to scrub sensitive values for logging and transactions

diff --git a/etc/cpanfile b/etc/cpanfile
index e4fb6d629f..aa098b7574 100644
--- a/etc/cpanfile
+++ b/etc/cpanfile
@@ -15,6 +15,7 @@ requires 'CSS::Minifier::XS';
 requires 'CSS::Squish', '>= 0.06';
 requires 'Data::GUID';
 requires 'Data::ICal';
+requires 'Data::Rmap';
 requires 'Data::Page::Pageset';
 requires 'Date::Extract', '>= 0.02';
 requires 'Date::Manip';
diff --git a/lib/RT/Util.pm b/lib/RT/Util.pm
index f537336c0e..343582431d 100644
--- a/lib/RT/Util.pm
+++ b/lib/RT/Util.pm
@@ -52,8 +52,10 @@ use warnings;
 
 
 use base 'Exporter';
-our @EXPORT = qw/safe_run_child mime_recommended_filename EntityLooksLikeEmailMessage EmailContentTypes/;
+our @EXPORT = qw/safe_run_child mime_recommended_filename EntityLooksLikeEmailMessage EmailContentTypes
+                 filter_sensitive_fields fieldname_is_blocklisted/;
 
+use Data::Rmap;
 use Encode qw/encode/;
 
 sub safe_run_child (&) {
@@ -250,6 +252,63 @@ sub EmailContentTypes {
     return ( 'message/rfc822', 'message/partial', 'message/external-body' );
 }
 
+
+=head2 filter_sensitive_fields
+
+Takes a hashref or arrayref and filters it recursively replacing any blocklisted fields
+with ******
+
+Allows you to prevent leaking of passwords, credentials or keys in logs, etc
+
+default blocklist is password credential key secret
+
+additional fields can be added to block list by providing a comma seperated list in
+the LogFieldBlocklist configuration field.
+
+=cut
+
+sub filter_sensitive_fields {
+    my ($data, $replace_with) = @_;
+    $replace_with //= '********';
+    rmap_all { _scrub_sensitive_fields($_, $replace_with) } $data;
+}
+
+my $blocklist = [qw(passphrase password credential key secret)];
+if (my $config_blocklisted_fields = RT->Config->Get('LogFieldBlocklist')) {
+    push (@$blocklist, split(/\s*,\s*/, $config_blocklisted_fields));
+}
+my $safelist = [qw(MinimumPasswordLength)];
+
+=head2 fieldname_is_blocklisted
+
+Check if a fieldname is blocklisted to avoid leaking sensitive information
+
+=cut
+
+sub fieldname_is_blocklisted {
+    my $fieldname = shift;
+    return 0 if (grep { $fieldname eq $_ } @$safelist);
+    foreach my $blocklisted_fieldname (@$blocklist) {
+        return 1 if ($fieldname =~ m/$blocklisted_fieldname/i);
+    }
+    return 0;
+}
+
+sub _scrub_sensitive_fields {
+    my ($node, $replace_with) = @_;
+    if (ref $_ eq 'HASH' ) {
+        foreach my $fieldname (keys %$node) {
+            if (fieldname_is_blocklisted($fieldname)) {
+                $node->{$fieldname} = $replace_with;
+            }
+        }
+    }
+    return $_;
+};
+
+
+
+
 RT::Base->_ImportOverlays();
 
 1;

commit 19a336864eedf3ea19416c5b98809f2f5e498d38
Author: Aaron Trevena <ast at bestpractical.com>
Date:   Thu Aug 6 20:07:42 2020 +0100

    Update Configuration display to scrub sensitive fields

diff --git a/share/html/Admin/Tools/Configuration.html b/share/html/Admin/Tools/Configuration.html
index 5e6cdce28b..4169e94812 100644
--- a/share/html/Admin/Tools/Configuration.html
+++ b/share/html/Admin/Tools/Configuration.html
@@ -91,7 +91,7 @@ foreach my $key ( RT->Config->Options( Overridable => undef, Sorted => 0 ) ) {
   <div class="form-row <% $index_conf%2 ? 'oddline' : 'evenline'%>">
     <div class="value col-4 collection-as-table"><% $key %></div>
     <div class="value col-4 collection-as-table">
-% if ( $key =~ /Password/i and $key !~ /MinimumPasswordLength/ ) {
+% if ( fieldname_is_blocklisted($key) ) {
 <em><% loc('Password not printed' ) %></em>\
 % } else {
 <% stringify($val) |n %>\
@@ -127,7 +127,7 @@ foreach my $key ( sort keys %{*RT::} ) {
       <div class="form-row collection-as-table <% $index_var%2 ? 'oddline' : 'evenline'%>">
         <div class="value col-6 collection-as-table">RT::<% $key %></div>
         <div class="value col-6 collection-as-table">
-% if ( $key =~ /Password(?!Length)/i ) { 
+% if ( fieldname_is_blocklisted($key)) {
 <em><% loc('Password not printed' ) %></em>\
 % } else {
 <% ${'RT::'.$key} %>
@@ -317,7 +317,12 @@ if ($item =~ /^\s*(.*?)\s*v(\S+);/) {
 % for my $key (sort keys %ENV) {
 <div class="collection-as-table <% $row++ %2 ? 'oddline' : 'evenline'%> form-row">
 <div class="collection-as-table value col-6"><% $key %></div>
+% if ( fieldname_is_blocklisted($key) ) {
+<div class="collection-as-table value col-6"><% loc('Password not printed' ) %></div>
+% }
+% else {
 <div class="collection-as-table value col-6"><% $ENV{$key} %></div>
+% }
 </div>
 % }
 </&>
@@ -367,12 +372,13 @@ my $row = 1;
 </div>
 <%INIT>
 use Data::Dumper;
+use RT::Util;
 local $Data::Dumper::Terse = 1;
 local $Data::Dumper::Indent = 2;
 
 sub stringify {
     my $value = shift;
-    my $output = Dumper $value;
+    my $output = Dumper filter_sensitive_fields($value, loc('Sensitive field value not printed'));
     RT::Interface::Web::EscapeHTML(\$output);
     $output =~ s/ / /g;
     $output =~ s!\n!<br />!g;

-----------------------------------------------------------------------

More information about the rt-commit mailing list