[GitHub] [cassandra] bereng commented on a change in pull request #1293: PasswordObfuscator should not assume PASSWORD is the last item in the…

[GitBox <gi...@apache.org>]

bereng commented on a change in pull request #1293:
URL: https://github.com/apache/cassandra/pull/1293#discussion_r782746637



##########
File path: src/java/org/apache/cassandra/audit/AuditLogManager.java
##########
@@ -135,7 +143,21 @@ else if (e instanceof AuthenticationException)
             builder.setType(AuditLogEntryType.REQUEST_FAILURE);
         }
 
-        builder.appendToOperation(QueryEvents.instance.getObfuscator().obfuscate(e.getMessage()));
+        // A syntax error may reveal the password in the form of 'line 1:33 mismatched input 'secret_password''
+        String safeMsg = e.getMessage();
+        if (e != null && e instanceof SyntaxException && queries != null && !queries.isEmpty())
+        {
+            for (String query : queries)
+            {
+                if (query.toLowerCase().contains(PasswordObfuscator.PASSWORD_TOKEN))
+                {
+                    safeMsg = "Syntax Exception. Obscured for security reasons.";
+                    break;
+                }
+            }
+        }
+
+        builder.appendToOperation(PasswordObfuscator.obfuscate(safeMsg));

Review comment:
       I'll take that one as optional if you don't mind as I prefer it inline. Total personal thing of mine lol




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org