From 8a796dc4334152600898cc24efadaa5f6a27763b Mon Sep 17 00:00:00 2001
From: "ye.zou" <ye.zou@zstack.io>
Date: Fri, 13 Feb 2026 19:25:07 +0800
Subject: [PATCH] <fix>[storage]: desensitize mdsUrls in
 ExternalPrimaryStorageInventory

The mdsUrls field in ExternalPrimaryStorage config contains
user:password@host format credentials. Add desensitization to
mask credentials as ***@host in API/CLI output.

Resolves: ZSTAC-80664

Change-Id: I94bdede5a1b52eb039de70efb5458693484405f7
---
 .../ExternalPrimaryStorageInventory.java      | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/header/src/main/java/org/zstack/header/storage/addon/primary/ExternalPrimaryStorageInventory.java b/header/src/main/java/org/zstack/header/storage/addon/primary/ExternalPrimaryStorageInventory.java
index 7808c227623..4c47baaa659 100644
--- a/header/src/main/java/org/zstack/header/storage/addon/primary/ExternalPrimaryStorageInventory.java
+++ b/header/src/main/java/org/zstack/header/storage/addon/primary/ExternalPrimaryStorageInventory.java
@@ -4,8 +4,10 @@
 import org.zstack.header.storage.primary.PrimaryStorageInventory;
 import org.zstack.utils.gson.JSONObjectUtil;
 
+import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.stream.Collectors;
 
 @Inventory(mappingVOClass = ExternalPrimaryStorageVO.class)
@@ -59,6 +61,7 @@ public ExternalPrimaryStorageInventory(ExternalPrimaryStorageVO lvo) {
         super(lvo);
         identity = lvo.getIdentity();
         config = JSONObjectUtil.toObject(lvo.getConfig(), LinkedHashMap.class);
+        desensitizeConfig(config);
         addonInfo = JSONObjectUtil.toObject(lvo.getAddonInfo(), LinkedHashMap.class);
         outputProtocols = lvo.getOutputProtocols().stream().map(PrimaryStorageOutputProtocolRefVO::getOutputProtocol).collect(Collectors.toList());
         defaultProtocol = lvo.getDefaultProtocol();
@@ -68,6 +71,31 @@ public static ExternalPrimaryStorageInventory valueOf(ExternalPrimaryStorageVO l
         return new ExternalPrimaryStorageInventory(lvo);
     }
 
+    private static void desensitizeConfig(Map config) {
+        if (config == null) return;
+        desensitizeUrlList(config, "mdsUrls");
+        desensitizeUrlList(config, "mdsInfos");
+    }
+
+    private static void desensitizeUrlList(Map config, String key) {
+        Object urls = config.get(key);
+        if (urls instanceof List) {
+            List<String> desensitized = new ArrayList<>();
+            for (Object url : (List) urls) {
+                desensitized.add(desensitizeUrl(String.valueOf(url)));
+            }
+            config.put(key, desensitized);
+        }
+    }
+
+    private static String desensitizeUrl(String url) {
+        int atIndex = url.lastIndexOf('@');
+        if (atIndex > 0) {
+            return "***" + url.substring(atIndex);
+        }
+        return url;
+    }
+
     public String getIdentity() {
         return identity;
     }