<fix>[core]: add @NoLogging to sensitive config fields#3342
Open
ZStack-Robot wants to merge 1 commit into5.5.6from
Open
<fix>[core]: add @NoLogging to sensitive config fields#3342ZStack-Robot wants to merge 1 commit into5.5.6from
ZStack-Robot wants to merge 1 commit into5.5.6from
Conversation
Walkthrough新增对 ExternalPrimaryStorageInventory 中 Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 诗歌
🚥 Pre-merge checks | ✅ 3 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
🧪 Generate unit tests (beta)
Comment |
The mdsUrls field in ExternalPrimaryStorage config contains user:password@host format credentials. Add desensitization to mask credentials as ***@host in API/CLI output. Resolves: ZSTAC-80664 Change-Id: I94bdede5a1b52eb039de70efb5458693484405f7
MatheMatrix
force-pushed
the
sync/ye.zou/fix/ZSTAC-80664
branch
from
6902789 to
8a796dc
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In
`@header/src/main/java/org/zstack/header/storage/addon/primary/ExternalPrimaryStorageInventory.java`:
- Around line 91-95: The desensitizeUrl method currently strips the protocol
(e.g., turning "iscsi://user:pass@host" into "***@host"); update desensitizeUrl
so it preserves the scheme/protocol prefix (everything up to and including
"://") and only masks the credentials portion before the '@' (replace credential
characters with "***" or similar) while keeping the rest of the URL intact;
locate and modify the desensitizeUrl method to detect the "://" delimiter and
the last '@' (using the existing atIndex logic) and build the returned string as
protocol + maskedCredentials + substring(from atIndex) so callers depending on
protocol parsing keep backward-compatible behavior.
Comment on lines
+91
to
+95
| private static String desensitizeUrl(String url) { | ||
| int atIndex = url.lastIndexOf('@'); | ||
| if (atIndex > 0) { | ||
| return "***" + url.substring(atIndex); | ||
| } |
There was a problem hiding this comment.
脱敏后丢失协议前缀,可能破坏兼容性。
当前逻辑会把 iscsi://user:pass@host 变成 ***@host,协议头丢失,容易影响依赖协议解析的客户端或历史行为。建议保留协议前缀,仅遮蔽凭据段。
🛠️ 保留协议前缀的修复建议
private static String desensitizeUrl(String url) {
int atIndex = url.lastIndexOf('@');
if (atIndex > 0) {
- return "***" + url.substring(atIndex);
+ int schemeIndex = url.indexOf("://");
+ if (schemeIndex >= 0 && schemeIndex < atIndex) {
+ String prefix = url.substring(0, schemeIndex + 3);
+ return prefix + "***" + url.substring(atIndex);
+ }
+ return "***" + url.substring(atIndex);
}
return url;
}🤖 Prompt for AI Agents
In
`@header/src/main/java/org/zstack/header/storage/addon/primary/ExternalPrimaryStorageInventory.java`
around lines 91 - 95, The desensitizeUrl method currently strips the protocol
(e.g., turning "iscsi://user:pass@host" into "***@host"); update desensitizeUrl
so it preserves the scheme/protocol prefix (everything up to and including
"://") and only masks the credentials portion before the '@' (replace credential
characters with "***" or similar) while keeping the rest of the URL intact;
locate and modify the desensitizeUrl method to detect the "://" delimiter and
the last '@' (using the existing atIndex logic) and build the returned string as
protocol + maskedCredentials + substring(from atIndex) so callers depending on
protocol parsing keep backward-compatible behavior.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves: ZSTAC-80664\n\nAdd @nologging annotation to prevent sensitive configuration data from being logged.
sync from gitlab !9171