You are viewing a plain text version of this content. The canonical link for it is here.

Posted to gitbox@activemq.apache.org by GitBox <gi...@apache.org> on 2021/03/11 16:57:59 UTC

[GitHub] [activemq-artemis] jbertram opened a new pull request #3488: ARTEMIS-3176 don't log JDBC datasource 'password' property

jbertram opened a new pull request #3488:
URL: https://github.com/apache/activemq-artemis/pull/3488


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] asfgit closed pull request #3488: ARTEMIS-3176 don't log JDBC datasource 'password' property

Posted by GitBox <gi...@apache.org>.

asfgit closed pull request #3488:
URL: https://github.com/apache/activemq-artemis/pull/3488


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] brusdev commented on a change in pull request #3488: ARTEMIS-3176 don't log JDBC datasource 'password' property

Posted by GitBox <gi...@apache.org>.

brusdev commented on a change in pull request #3488:
URL: https://github.com/apache/activemq-artemis/pull/3488#discussion_r593126439



##########
File path: artemis-jdbc-store/src/main/java/org/apache/activemq/artemis/jdbc/store/drivers/JDBCDataSourceUtils.java
##########
@@ -29,7 +29,7 @@ public static DataSource getDataSource(String dataSourceClassName, Map<String, O
       ActiveMQJournalLogger.LOGGER.initializingJdbcDataSource(dataSourceClassName, dataSourceProperties
          .keySet()
          .stream()
-         .map(key -> key + "=" + dataSourceProperties.get(key))
+         .map(key -> key + "=" + (key.equals("password") ? "****" : dataSourceProperties.get(key)))

Review comment:
       Could a user set the password using a `data-source-property` with an uppercase key?
   `<data-source-property key="PASSWORD" value="artemis" />`




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] brusdev commented on a change in pull request #3488: ARTEMIS-3176 don't log JDBC datasource 'password' property

Posted by GitBox <gi...@apache.org>.

brusdev commented on a change in pull request #3488:
URL: https://github.com/apache/activemq-artemis/pull/3488#discussion_r593126439



##########
File path: artemis-jdbc-store/src/main/java/org/apache/activemq/artemis/jdbc/store/drivers/JDBCDataSourceUtils.java
##########
@@ -29,7 +29,7 @@ public static DataSource getDataSource(String dataSourceClassName, Map<String, O
       ActiveMQJournalLogger.LOGGER.initializingJdbcDataSource(dataSourceClassName, dataSourceProperties
          .keySet()
          .stream()
-         .map(key -> key + "=" + dataSourceProperties.get(key))
+         .map(key -> key + "=" + (key.equals("password") ? "****" : dataSourceProperties.get(key)))

Review comment:
       Could a user set the password using a `data-source-property` with an uppercase property?
   `<data-source-property key="PASSWORD" value="artemis" />`




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] brusdev commented on a change in pull request #3488: ARTEMIS-3176 don't log JDBC datasource 'password' property

Posted by GitBox <gi...@apache.org>.

brusdev commented on a change in pull request #3488:
URL: https://github.com/apache/activemq-artemis/pull/3488#discussion_r592692708



##########
File path: artemis-jdbc-store/src/main/java/org/apache/activemq/artemis/jdbc/store/drivers/JDBCDataSourceUtils.java
##########
@@ -29,7 +29,7 @@ public static DataSource getDataSource(String dataSourceClassName, Map<String, O
       ActiveMQJournalLogger.LOGGER.initializingJdbcDataSource(dataSourceClassName, dataSourceProperties
          .keySet()
          .stream()
-         .map(key -> key + "=" + dataSourceProperties.get(key))
+         .map(key -> key + "=" + (key.equals("password") ? "****" : dataSourceProperties.get(key)))

Review comment:
       Could the key be uppercase?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] brusdev commented on a change in pull request #3488: ARTEMIS-3176 don't log JDBC datasource 'password' property

Posted by GitBox <gi...@apache.org>.

brusdev commented on a change in pull request #3488:
URL: https://github.com/apache/activemq-artemis/pull/3488#discussion_r593126439



##########
File path: artemis-jdbc-store/src/main/java/org/apache/activemq/artemis/jdbc/store/drivers/JDBCDataSourceUtils.java
##########
@@ -29,7 +29,7 @@ public static DataSource getDataSource(String dataSourceClassName, Map<String, O
       ActiveMQJournalLogger.LOGGER.initializingJdbcDataSource(dataSourceClassName, dataSourceProperties
          .keySet()
          .stream()
-         .map(key -> key + "=" + dataSourceProperties.get(key))
+         .map(key -> key + "=" + (key.equals("password") ? "****" : dataSourceProperties.get(key)))

Review comment:
       Could a user set the password using a `data-source-property` with an uppercase property?
   <data-source-property key="Password" value="artemis" />




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] brusdev commented on a change in pull request #3488: ARTEMIS-3176 don't log JDBC datasource 'password' property

Posted by GitBox <gi...@apache.org>.

brusdev commented on a change in pull request #3488:
URL: https://github.com/apache/activemq-artemis/pull/3488#discussion_r593126439



##########
File path: artemis-jdbc-store/src/main/java/org/apache/activemq/artemis/jdbc/store/drivers/JDBCDataSourceUtils.java
##########
@@ -29,7 +29,7 @@ public static DataSource getDataSource(String dataSourceClassName, Map<String, O
       ActiveMQJournalLogger.LOGGER.initializingJdbcDataSource(dataSourceClassName, dataSourceProperties
          .keySet()
          .stream()
-         .map(key -> key + "=" + dataSourceProperties.get(key))
+         .map(key -> key + "=" + (key.equals("password") ? "****" : dataSourceProperties.get(key)))

Review comment:
       Could a user set the password using a `data-source-property` with an uppercase property?
   `<data-source-property key="Password" value="artemis" />`




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] jbertram commented on a change in pull request #3488: ARTEMIS-3176 don't log JDBC datasource 'password' property

Posted by GitBox <gi...@apache.org>.

jbertram commented on a change in pull request #3488:
URL: https://github.com/apache/activemq-artemis/pull/3488#discussion_r592707859



##########
File path: artemis-jdbc-store/src/main/java/org/apache/activemq/artemis/jdbc/store/drivers/JDBCDataSourceUtils.java
##########
@@ -29,7 +29,7 @@ public static DataSource getDataSource(String dataSourceClassName, Map<String, O
       ActiveMQJournalLogger.LOGGER.initializingJdbcDataSource(dataSourceClassName, dataSourceProperties
          .keySet()
          .stream()
-         .map(key -> key + "=" + dataSourceProperties.get(key))
+         .map(key -> key + "=" + (key.equals("password") ? "****" : dataSourceProperties.get(key)))

Review comment:
       It would only be uppercase if [`org.apache.activemq.artemis.core.config.storage.DatabaseStorageConfiguration#getDataSource`](https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/storage/DatabaseStorageConfiguration.java#L170) changes. It's hard-coded to use `password`. 
   
   I thought about making it a constant, but to be able to use it from `org.apache.activemq.artemis.jdbc.store.drivers.JDBCDataSourceUtils` I'd have to move it (and `org.apache.activemq.artemis.core.config.StoreConfiguration`) out of the `artemis-server` module and into the `artemis-commons` module.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] jbertram commented on a change in pull request #3488: ARTEMIS-3176 don't log JDBC datasource 'password' property

Posted by GitBox <gi...@apache.org>.

jbertram commented on a change in pull request #3488:
URL: https://github.com/apache/activemq-artemis/pull/3488#discussion_r593273448



##########
File path: artemis-jdbc-store/src/main/java/org/apache/activemq/artemis/jdbc/store/drivers/JDBCDataSourceUtils.java
##########
@@ -29,7 +29,7 @@ public static DataSource getDataSource(String dataSourceClassName, Map<String, O
       ActiveMQJournalLogger.LOGGER.initializingJdbcDataSource(dataSourceClassName, dataSourceProperties
          .keySet()
          .stream()
-         .map(key -> key + "=" + dataSourceProperties.get(key))
+         .map(key -> key + "=" + (key.equals("password") ? "****" : dataSourceProperties.get(key)))

Review comment:
       @brusdev, yes, I would assume that's theoretically possible. I will update the PR to use `equalsIgnoreCase` instead of `equals`.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org