Merge pull request #1 from ActiveState/BE-3397-cve-2022-0718

CVE-2022-0718 Fix regex used to mask password
ActiveState · Feb 1, 2024 · 5e39a98 · 5e39a98
2 parents 577da7f + 8a393de
commit 5e39a98
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 1 deletion.
diff --git a/oslo_utils/strutils.py b/oslo_utils/strutils.py
@@ -74,6 +74,7 @@
 # for XML and JSON automatically.
 _SANITIZE_PATTERNS_2 = {}
 _SANITIZE_PATTERNS_1 = {}
+_SANITIZE_PATTERNS_WILDCARD = {}
 
 # NOTE(amrith): Some regular expressions have only one parameter, some
 # have two parameters. Use different lists of patterns here.
@@ -89,13 +90,15 @@
                       r'([\'"][^\'"]*%(key)s[0-9]*[\'"]\s*,\s*\'--?[A-z]+'
                       r'\'\s*,\s*u?[\'"])[^\"\']*([\'"])',
                       r'(%(key)s[0-9]*\s*--?[A-z]+\s*)\S+(\s*)']
+_FORMAT_PATTERNS_WILDCARD = [r'([\'\"][^\"\']*%(key)s[0-9]*[\'\"]\s*:\s*u?[\'\"].*[\'\"])[^\"\']*([\'\"])']  # noqa: E501
 
 # NOTE(dhellmann): Keep a separate list of patterns by key so we only
 # need to apply the substitutions for keys we find using a quick "in"
 # test.
 for key in _SANITIZE_KEYS:
     _SANITIZE_PATTERNS_1[key] = []
     _SANITIZE_PATTERNS_2[key] = []
+    _SANITIZE_PATTERNS_WILDCARD[key] = []
 
     for pattern in _FORMAT_PATTERNS_2:
         reg_ex = re.compile(pattern % {'key': key}, re.DOTALL | re.IGNORECASE)
@@ -105,6 +108,10 @@
         reg_ex = re.compile(pattern % {'key': key}, re.DOTALL | re.IGNORECASE)
         _SANITIZE_PATTERNS_1[key].append(reg_ex)
 
+    for pattern in _FORMAT_PATTERNS_WILDCARD:
+        reg_ex = re.compile(pattern % {'key': key}, re.DOTALL | re.IGNORECASE)
+        _SANITIZE_PATTERNS_WILDCARD[key].append(reg_ex)
+
 
 def int_from_bool_as_string(subject):
     """Interpret a string as a boolean and return either 1 or 0.
@@ -332,6 +339,7 @@ def mask_password(message, secret="***"):  # nosec
 
     substitute1 = r'\g<1>' + secret
     substitute2 = r'\g<1>' + secret + r'\g<2>'
+    substitute_wildcard = r'\g<1>'
 
     # NOTE(ldbragst): Check to see if anything in message contains any key
     # specified in _SANITIZE_KEYS, if not then just return the message since
@@ -342,7 +350,12 @@ def mask_password(message, secret="***"):  # nosec
                 message = re.sub(pattern, substitute2, message)
             for pattern in _SANITIZE_PATTERNS_1[key]:
                 message = re.sub(pattern, substitute1, message)
-
+            # NOTE(hberaud): Those case are poorly handled by previous
+            # patterns. They are passwords with quotes or double quotes.
+            # They also needs a different way to substitute group this is why
+            # they aren't fix in the pattern 1 or 2.
+            for pattern in _SANITIZE_PATTERNS_WILDCARD[key]:
+                message = re.sub(pattern, substitute_wildcard, message)
     return message
 
 

diff --git a/oslo_utils/tests/test_strutils.py b/oslo_utils/tests/test_strutils.py
@@ -617,11 +617,20 @@ def test_mask_password(self):
         expected = 'test = "param1" : "value"'
         self.assertEqual(expected, strutils.mask_password(payload))
 
+        payload = 'test = "original_password" : "aaaaa"aaaa"'
+        expected = 'test = "original_password" : "***"'
+        self.assertEqual(expected, strutils.mask_password(payload))
+
         payload = """{'adminPass':'TL0EfN33'}"""
         payload = six.text_type(payload)
         expected = """{'adminPass':'***'}"""
         self.assertEqual(expected, strutils.mask_password(payload))
 
+        payload = """{'adminPass':'TL0E'fN33'}"""
+        payload = str(payload)
+        expected = """{'adminPass':'***'}"""
+        self.assertEqual(expected, strutils.mask_password(payload))
+
         payload = """{'token':'mytoken'}"""
         payload = six.text_type(payload)
         expected = """{'token':'***'}"""
@@ -697,6 +706,11 @@ def test_dictionary(self):
         self.assertEqual(expected,
                          strutils.mask_dict_password(payload))
 
+        payload = {'password': 'TL0Ef"N33'}
+        expected = {'password': '***'}
+        self.assertEqual(expected,
+                         strutils.mask_dict_password(payload))
+
         payload = {'user': 'admin', 'password': 'TL0EfN33'}
         expected = {'user': 'admin', 'password': '***'}
         self.assertEqual(expected,

diff --git a/releasenotes/notes/fix_mask_password_regex-c0661f95a23369a4.yaml b/releasenotes/notes/fix_mask_password_regex-c0661f95a23369a4.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fix regex used to mask password. The ``strutils.mask_password``
+    function will now correctly handle passwords that contain
+    single or double quotes. Previously, only the characters before the
+    quote were masked.