You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by he...@apache.org on 2021/09/15 14:48:44 UTC
[brooklyn-server] 04/11: only include 4 bytes (8 chars) of the md5
checksum
This is an automated email from the ASF dual-hosted git repository.
heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git
commit 5397739d8b6da371d1d0815f8b2104a0cb173f80
Author: Alex Heneveld <al...@cloudsoftcorp.com>
AuthorDate: Tue Sep 14 23:01:15 2021 +0100
only include 4 bytes (8 chars) of the md5 checksum
---
.../org/apache/brooklyn/core/config/Sanitizer.java | 19 +++++++------------
.../apache/brooklyn/core/config/SanitizerTest.java | 2 +-
2 files changed, 8 insertions(+), 13 deletions(-)
diff --git a/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java b/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java
index f123c20..e2e6c16 100644
--- a/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java
+++ b/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java
@@ -18,33 +18,27 @@
*/
package org.apache.brooklyn.core.config;
-import com.google.common.reflect.TypeToken;
+import com.google.common.base.Predicate;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
import java.io.ByteArrayInputStream;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Set;
-
import java.util.stream.Collectors;
import org.apache.brooklyn.api.mgmt.ManagementContext;
import org.apache.brooklyn.config.ConfigKey;
import org.apache.brooklyn.core.server.BrooklynServerConfig;
import org.apache.brooklyn.util.core.config.ConfigBag;
-
-import com.google.common.base.Predicate;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
import org.apache.brooklyn.util.core.flags.TypeCoercions;
import org.apache.brooklyn.util.core.osgi.Osgis;
-import org.apache.brooklyn.util.internal.BrooklynSystemProperties;
import org.apache.brooklyn.util.internal.StringSystemProperty;
import org.apache.brooklyn.util.stream.Streams;
import org.apache.brooklyn.util.text.StringEscapes.BashStringEscapes;
import org.apache.brooklyn.util.text.Strings;
-import org.osgi.framework.Bundle;
-import org.osgi.framework.ServiceReference;
public final class Sanitizer {
@@ -145,7 +139,8 @@ public final class Sanitizer {
}
public static String suppress(Object value) {
- String md5Checksum = Streams.getMd5Checksum(new ByteArrayInputStream(("" + value).getBytes()));
+ // only include the first few chars so that malicious observers can't uniquely brute-force discover the source
+ String md5Checksum = Strings.maxlen(Streams.getMd5Checksum(new ByteArrayInputStream(("" + value).getBytes())), 8);
return "<suppressed> (MD5 hash: " + md5Checksum + ")";
}
diff --git a/core/src/test/java/org/apache/brooklyn/core/config/SanitizerTest.java b/core/src/test/java/org/apache/brooklyn/core/config/SanitizerTest.java
index 4b8e428..9b75034 100644
--- a/core/src/test/java/org/apache/brooklyn/core/config/SanitizerTest.java
+++ b/core/src/test/java/org/apache/brooklyn/core/config/SanitizerTest.java
@@ -84,7 +84,7 @@ public class SanitizerTest {
" allowedOnNewLine"
)), Strings.lines(
"public: password",
- "private: <suppressed> (MD5 hash: " + hashPassword2 + ")",
+ "private: <suppressed> (MD5 hash: " + hashPassword2.substring(0, 8) + ")",
"private: ",
" allowedOnNewLine"
));