Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions src/sts/tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -155,15 +155,21 @@ fn unexpected_status_includes_upstream_json_error_summary() {
fn unexpected_status_redacts_sensitive_upstream_error_summary() {
let err = RustfsClientError::unexpected_status_with_body(
StatusCode::BAD_REQUEST,
r#"{"code":"InvalidRequest","message":"secretkey: SK_TEST clientSecret: oidc-secret <AccessKey>AKIA_XML</AccessKey>"}"#,
r#"{"code":"InvalidRequest","message":"secretkey: SK_TEST clientSecret: oidc-secret SecretAccessKey: SK_STS AccessKeyId: AKIA_STS <SecretAccessKey>SK_XML</SecretAccessKey> <AccessKeyId>AKIA_XML</AccessKeyId>"}"#,
);

let message = err.to_string();
assert!(message.contains("secretkey: <redacted>"));
assert!(message.contains("clientSecret: <redacted>"));
assert!(message.contains("<AccessKey><redacted></AccessKey>"));
assert!(message.contains("SecretAccessKey: <redacted>"));
assert!(message.contains("AccessKeyId: <redacted>"));
assert!(message.contains("<SecretAccessKey><redacted></SecretAccessKey>"));
assert!(message.contains("<AccessKeyId><redacted></AccessKeyId>"));
assert!(!message.contains("SK_TEST"));
assert!(!message.contains("oidc-secret"));
assert!(!message.contains("SK_STS"));
assert!(!message.contains("AKIA_STS"));
assert!(!message.contains("SK_XML"));
assert!(!message.contains("AKIA_XML"));
}

Expand Down
30 changes: 29 additions & 1 deletion src/utils/sanitize.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,21 @@
// See the License for the specific language governing permissions and
// limitations under the License.

const SENSITIVE_KEYS: [&str; 16] = [
const SENSITIVE_KEYS: [&str; 22] = [
"token",
"password",
"accesskey",
"access_key",
"access-key",
"accesskeyid",
"access_key_id",
"access-key-id",
"secretkey",
"secret_key",
"secret-key",
"secretaccesskey",
"secret_access_key",
"secret-access-key",
"clientsecret",
"client_secret",
"client-secret",
Expand All @@ -42,7 +48,9 @@ fn is_sensitive_key(key: &str) -> bool {
"token"
| "password"
| "accesskey"
| "accesskeyid"
| "secretkey"
| "secretaccesskey"
| "clientsecret"
| "sessiontoken"
| "credential"
Expand Down Expand Up @@ -282,6 +290,26 @@ mod tests {
assert!(!sanitized.contains("SK_XML"));
}

#[test]
fn redacts_sts_credential_field_names() {
let message = r#"AccessKeyId: AKIA_TEXT SecretAccessKey: SK_TEXT {"access_key_id":"AKIA_JSON","secret-access-key":"SK_JSON"} <AccessKeyId>AKIA_XML</AccessKeyId> <SecretAccessKey>SK_XML</SecretAccessKey>"#;

let sanitized = redact_sensitive_pairs(message);

assert!(sanitized.contains("AccessKeyId: <redacted>"));
assert!(sanitized.contains("SecretAccessKey: <redacted>"));
assert!(sanitized.contains(r#""access_key_id":"<redacted>""#));
assert!(sanitized.contains(r#""secret-access-key":"<redacted>""#));
assert!(sanitized.contains("<AccessKeyId><redacted></AccessKeyId>"));
assert!(sanitized.contains("<SecretAccessKey><redacted></SecretAccessKey>"));
assert!(!sanitized.contains("AKIA_TEXT"));
assert!(!sanitized.contains("SK_TEXT"));
assert!(!sanitized.contains("AKIA_JSON"));
assert!(!sanitized.contains("SK_JSON"));
assert!(!sanitized.contains("AKIA_XML"));
assert!(!sanitized.contains("SK_XML"));
}

#[test]
fn handles_unicode_without_panicking() {
let message = "错误🔐 token: tok_123 用户=测试 secretkey: SK_TEST 完成";
Expand Down
Loading