You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by ma...@apache.org on 2014/04/15 09:28:09 UTC
svn commit: r1587460 - in
/logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core:
appender/db/nosql/couchdb/ appender/db/nosql/mongodb/ config/plugins/
Author: mattsicker
Date: Tue Apr 15 07:28:08 2014
New Revision: 1587460
URL: http://svn.apache.org/r1587460
Log:
Better fix for LOG4J2-605
- Added @SensitivePluginAttribute for auto-censoring.
- Doesn't help if your JNDI URI contains a password, though. ;)
Added:
logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/SensitivePluginAttribute.java (with props)
Modified:
logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/nosql/couchdb/CouchDBProvider.java
logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/nosql/mongodb/MongoDBProvider.java
logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/PluginBuilder.java
Modified: logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/nosql/couchdb/CouchDBProvider.java
URL: http://svn.apache.org/viewvc/logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/nosql/couchdb/CouchDBProvider.java?rev=1587460&r1=1587459&r2=1587460&view=diff
==============================================================================
--- logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/nosql/couchdb/CouchDBProvider.java (original)
+++ logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/nosql/couchdb/CouchDBProvider.java Tue Apr 15 07:28:08 2014
@@ -21,6 +21,7 @@ import java.lang.reflect.Method;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.core.appender.AbstractAppender;
import org.apache.logging.log4j.core.appender.db.nosql.NoSQLProvider;
+import org.apache.logging.log4j.core.config.plugins.SensitivePluginAttribute;
import org.apache.logging.log4j.core.config.plugins.Plugin;
import org.apache.logging.log4j.core.config.plugins.PluginAttribute;
import org.apache.logging.log4j.core.config.plugins.PluginFactory;
@@ -86,7 +87,7 @@ public final class CouchDBProvider imple
@PluginAttribute("server") String server,
@PluginAttribute("port") final String port,
@PluginAttribute("username") final String username,
- @PluginAttribute("password") final String password,
+ @SensitivePluginAttribute("password") final String password,
@PluginAttribute("factoryClassName") final String factoryClassName,
@PluginAttribute("factoryMethodName") final String factoryMethodName) {
CouchDbClient client;
Modified: logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/nosql/mongodb/MongoDBProvider.java
URL: http://svn.apache.org/viewvc/logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/nosql/mongodb/MongoDBProvider.java?rev=1587460&r1=1587459&r2=1587460&view=diff
==============================================================================
--- logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/nosql/mongodb/MongoDBProvider.java (original)
+++ logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/nosql/mongodb/MongoDBProvider.java Tue Apr 15 07:28:08 2014
@@ -23,6 +23,7 @@ import java.util.List;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.core.appender.AbstractAppender;
import org.apache.logging.log4j.core.appender.db.nosql.NoSQLProvider;
+import org.apache.logging.log4j.core.config.plugins.SensitivePluginAttribute;
import org.apache.logging.log4j.core.config.plugins.Plugin;
import org.apache.logging.log4j.core.config.plugins.PluginAttribute;
import org.apache.logging.log4j.core.config.plugins.PluginFactory;
@@ -97,7 +98,7 @@ public final class MongoDBProvider imple
@PluginAttribute("server") final String server,
@PluginAttribute("port") final String port,
@PluginAttribute("username") final String username,
- @PluginAttribute("password") final String password,
+ @SensitivePluginAttribute("password") final String password,
@PluginAttribute("factoryClassName") final String factoryClassName,
@PluginAttribute("factoryMethodName") final String factoryMethodName) {
DB database;
Modified: logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/PluginBuilder.java
URL: http://svn.apache.org/viewvc/logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/PluginBuilder.java?rev=1587460&r1=1587459&r2=1587460&view=diff
==============================================================================
--- logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/PluginBuilder.java (original)
+++ logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/PluginBuilder.java Tue Apr 15 07:28:08 2014
@@ -179,17 +179,15 @@ public class PluginBuilder<T> {
} else if (a instanceof PluginAttribute) {
final PluginAttribute attribute = (PluginAttribute) a;
final String name = attribute.value();
- final String value = configuration.getStrSubstitutor().replace(event, getAttrValue(name, aliases));
- args[i] = value;
- sb.append(name).append("=\"");
+ args[i] = getReplacedAttributeValue(name, aliases);
+ sb.append(name).append("=\"").append(args[i]).append('"');
+ } else if (a instanceof SensitivePluginAttribute) {
// LOG4J2-605
// we shouldn't be displaying passwords
- if ("password".equalsIgnoreCase(name)) {
- sb.append(NameUtil.md5(value + PluginBuilder.class.getName()));
- } else {
- sb.append(value);
- }
- sb.append('"');
+ final SensitivePluginAttribute attribute = (SensitivePluginAttribute) a;
+ final String name = attribute.value();
+ args[i] = getReplacedAttributeValue(name, aliases);
+ sb.append(name).append("=\"").append(NameUtil.md5(args[i] + PluginBuilder.class.getName())).append('"');
} else if (a instanceof PluginElement) {
final PluginElement element = (PluginElement) a;
final String name = element.value();
@@ -265,6 +263,10 @@ public class PluginBuilder<T> {
return aliases;
}
+ private String getReplacedAttributeValue(final String name, final String... aliases) {
+ return configuration.getStrSubstitutor().replace(event, getAttrValue(name, aliases));
+ }
+
private String getAttrValue(final String name, final String... aliases) {
final Map<String, String> attrs = node.getAttributes();
for (final Map.Entry<String, String> entry : attrs.entrySet()) {
@@ -275,7 +277,7 @@ public class PluginBuilder<T> {
return attr;
}
if (aliases != null) {
- for (String alias : aliases) {
+ for (final String alias : aliases) {
if (key.equalsIgnoreCase(alias)) {
final String attr = entry.getValue();
attrs.remove(key);
Added: logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/SensitivePluginAttribute.java
URL: http://svn.apache.org/viewvc/logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/SensitivePluginAttribute.java?rev=1587460&view=auto
==============================================================================
--- logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/SensitivePluginAttribute.java (added)
+++ logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/SensitivePluginAttribute.java Tue Apr 15 07:28:08 2014
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.logging.log4j.core.config.plugins;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Identifies a sensitive PluginAttribute. This means that the value should NOT be displayed in log messages anywhere
+ * and instead should be hashed.
+ *
+ * @see org.apache.logging.log4j.core.helpers.NameUtil#md5(String) MD5
+ * @see PluginAttribute
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.PARAMETER)
+public @interface SensitivePluginAttribute {
+ String value();
+}
Propchange: logging/log4j/log4j2/trunk/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/SensitivePluginAttribute.java
------------------------------------------------------------------------------
svn:eol-style = native