svn commit: r1792710 - in /jackrabbit/commons/filevault/trunk/vault-core/src: main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java

[tr...@apache.org]

Author: tripod
Date: Wed Apr 26 08:27:02 2017
New Revision: 1792710

URL: http://svn.apache.org/viewvc?rev=1792710&view=rev
Log:
JCRVLT-175 Ensure RcpTask is clearing out sensitive data in toString statement

Modified:
    jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java
    jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java

Modified: jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java
URL: http://svn.apache.org/viewvc/jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java?rev=1792710&r1=1792709&r2=1792710&view=diff
==============================================================================
--- jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java (original)
+++ jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java Wed Apr 26 08:27:02 2017
@@ -280,12 +280,18 @@ public class RepositoryAddress {
     /**
      * {@inheritDoc}
      *
-     * @return same as {@link #getURI() getURI().toString()}
+     * @return same as {@link #getURI() getURI().toString()} with obfuscated user info
      */
     @Override
     @Nonnull
     public String toString() {
-        return getURI().toString();
+        final URI uri = getURI();
+        final String userInfo = uri.getRawUserInfo();
+        if (userInfo != null) {
+            return uri.toString().replace(userInfo, "******:******");
+        } else {
+            return uri.toString();
+        }
     }
 
     /**
@@ -372,4 +378,4 @@ public class RepositoryAddress {
     }
 
 
-}
\ No newline at end of file
+}

Modified: jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java?rev=1792710&r1=1792709&r2=1792710&view=diff
==============================================================================
--- jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java (original)
+++ jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java Wed Apr 26 08:27:02 2017
@@ -17,6 +17,10 @@
 
 package org.apache.jackrabbit.vault.fs.api;
 
+import javax.jcr.SimpleCredentials;
+
+import org.apache.jackrabbit.vault.util.Text;
+
 import junit.framework.TestCase;
 
 /**
@@ -370,4 +374,31 @@ public class RepositoryAddressTest exten
         RepositoryAddress ra1 = new RepositoryAddress(ra.getURI());
         assertEquals("uri", uri, ra1.getURI().toString());
     }
+
+    public void testToStringHttpWithUserInfo() throws Exception {
+        String creds = "foo:bar";
+        RepositoryAddress ra = new RepositoryAddress("http://" + creds + "@localhost:8080/-/jcr:root");
+
+        String toString = ra.toString();
+        assertFalse("toString should not contain credentials [" + toString + "]", toString.contains(creds));
+    }
+
+    public void testToStringHttpWithUserInfoEscaped() throws Exception {
+        String creds = "my-user:" + Text.escape("p!@#$%^&*ass");
+        RepositoryAddress ra = new RepositoryAddress("http://" + creds + "@localhost:8080/-/jcr:root");
+
+        String toString = ra.toString();
+        assertFalse("toString should not contain credentials [" + toString + "]", toString.contains(creds));
+    }
+
+    public void testGetCredentials() throws Exception {
+        String user = "my-user";
+        String password = "p!@#$%^&*ass";
+        String creds = Text.escape(user + ":" + password);
+        RepositoryAddress ra = new RepositoryAddress("http://" + creds + "@localhost:8080/-/jcr:root");
+
+        SimpleCredentials sc = (SimpleCredentials) ra.getCredentials();
+        assertEquals("userId", user, sc.getUserID());
+        assertEquals("password", password, new String(sc.getPassword()));
+    }
 }
\ No newline at end of file