You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2022/10/05 08:52:52 UTC

[karaf] branch karaf-4.3.x updated: KARAF-7537 - Password displayed in console using repo-list

This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch karaf-4.3.x
in repository https://gitbox.apache.org/repos/asf/karaf.git


The following commit(s) were added to refs/heads/karaf-4.3.x by this push:
     new 702d69c1f7 KARAF-7537 - Password displayed in console using repo-list
702d69c1f7 is described below

commit 702d69c1f72b4a15684f583937de7c467849341f
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Oct 3 16:29:16 2022 +0100

    KARAF-7537 - Password displayed in console using repo-list
    
    (cherry picked from commit 2a6adc8a9821aa50e37ebc5a2426ee2347ff0915)
---
 .../karaf/features/command/RepoListCommand.java    |  7 ++++-
 .../features/command/RepoListCommandTest.java      | 35 ++++++++++++++++++++--
 .../karaf/webconsole/features/FeaturesPlugin.java  |  4 +++
 3 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/features/command/src/main/java/org/apache/karaf/features/command/RepoListCommand.java b/features/command/src/main/java/org/apache/karaf/features/command/RepoListCommand.java
index a91182f832..6c59da8e9a 100644
--- a/features/command/src/main/java/org/apache/karaf/features/command/RepoListCommand.java
+++ b/features/command/src/main/java/org/apache/karaf/features/command/RepoListCommand.java
@@ -59,7 +59,12 @@ public class RepoListCommand extends FeaturesCommandSupport {
             if (repo != null) {
                 if (showBlacklisted || !repo.isBlacklisted()) {
                     Row row = table.addRow();
-                    row.addContent(repo.getName(), repo.getURI().toString());
+                    String uri = repo.getURI().toString();
+                    // Hide the user:password if it contains one
+                    if (uri.matches("\\S*://\\S*:\\S*@\\S*")) {
+                        uri = uri.replaceFirst("://\\S*@", "://*****:*****@");
+                    }
+                    row.addContent(repo.getName(), uri);
                     if (showBlacklisted) {
                         row.addContent(repo.isBlacklisted() ? "yes" : "no");
                     }
diff --git a/features/command/src/test/java/org/apache/karaf/features/command/RepoListCommandTest.java b/features/command/src/test/java/org/apache/karaf/features/command/RepoListCommandTest.java
index 888138b620..8957c3a9e6 100644
--- a/features/command/src/test/java/org/apache/karaf/features/command/RepoListCommandTest.java
+++ b/features/command/src/test/java/org/apache/karaf/features/command/RepoListCommandTest.java
@@ -28,8 +28,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.PrintStream;
 import java.net.URI;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.*;
 
 public class RepoListCommandTest extends RepositoryCommandTestBase {
 
@@ -138,4 +137,36 @@ public class RepoListCommandTest extends RepositoryCommandTestBase {
 
         EasyMock.verify(service, blacklistedRepo, whitelistedRepo);
     }
+
+    @Test
+    public void testPasswordsHidden() throws Exception {
+        FeaturesService service = EasyMock.createMock(FeaturesService.class);
+
+        Repository repo = EasyMock.createMock(Repository.class);
+        URI repoUri = URI.create("mvn:https://user:password@repo1.maven.org/maven2!org.apache.cxf.karaf/apache-cxf/3.5.3/xml/features");
+        EasyMock.expect(repo.getURI()).andReturn(repoUri).anyTimes();
+        EasyMock.expect(repo.getName()).andReturn("cxf-3.5.3").anyTimes();
+        EasyMock.expect(repo.isBlacklisted()).andReturn(false);
+
+        EasyMock.expect(service.listRepositories()).andReturn(new Repository[]{repo});
+
+        EasyMock.replay(service, repo);
+
+        RepoListCommand repoListCommand = new RepoListCommand();
+        repoListCommand.setFeaturesService(service);
+        repoListCommand.noFormat = true;
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        PrintStream out = new PrintStream(baos);
+        System.setOut(out);
+
+        repoListCommand.execute();
+        out.flush();
+
+        String commandOutput = baos.toString();
+        assertTrue(commandOutput.contains("*****:*****"));
+        assertFalse(commandOutput.contains("user:password"));
+
+        EasyMock.verify(service, repo);
+    }
 }
diff --git a/webconsole/features/src/main/java/org/apache/karaf/webconsole/features/FeaturesPlugin.java b/webconsole/features/src/main/java/org/apache/karaf/webconsole/features/FeaturesPlugin.java
index a08cc06e2f..0ad1fef12e 100644
--- a/webconsole/features/src/main/java/org/apache/karaf/webconsole/features/FeaturesPlugin.java
+++ b/webconsole/features/src/main/java/org/apache/karaf/webconsole/features/FeaturesPlugin.java
@@ -277,6 +277,10 @@ public class FeaturesPlugin extends AbstractWebConsolePlugin {
             jw.value(name);
             jw.key("url");
             String uri = r.getURI().toString();
+            // Hide the user:password if it contains one
+            if (uri.matches("\\S*://\\S*:\\S*@\\S*")) {
+                uri = uri.replaceFirst("://\\S*@", "://*****:*****@");
+            }
             jw.value(uri);
             jw.key("actions");
             jw.array();