Skip to content

<fix>[core]: add @NoLogging to sensitive config fields #3342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ZStack-Robot wants to merge 1 commit into
base: 5.5.6
Choose a base branch
from
Open

<fix>[core]: add @NoLogging to sensitive config fields #3342

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions ...rc/main/java/org/zstack/header/storage/addon/primary/ExternalPrimaryStorageInventory.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,10 @@
import org.zstack.header.storage.primary.PrimaryStorageInventory;
import org.zstack.utils.gson.JSONObjectUtil;

import java.util.ArrayList;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;

@Inventory(mappingVOClass = ExternalPrimaryStorageVO.class)
Expand Down Expand Up @@ -59,6 +61,7 @@ public ExternalPrimaryStorageInventory(ExternalPrimaryStorageVO lvo) {
super(lvo);
identity = lvo.getIdentity();
config = JSONObjectUtil.toObject(lvo.getConfig(), LinkedHashMap.class);
desensitizeConfig(config);
addonInfo = JSONObjectUtil.toObject(lvo.getAddonInfo(), LinkedHashMap.class);
outputProtocols = lvo.getOutputProtocols().stream().map(PrimaryStorageOutputProtocolRefVO::getOutputProtocol).collect(Collectors.toList());
defaultProtocol = lvo.getDefaultProtocol();
Expand All @@ -68,6 +71,31 @@ public static ExternalPrimaryStorageInventory valueOf(ExternalPrimaryStorageVO l
return new ExternalPrimaryStorageInventory(lvo);
}

private static void desensitizeConfig(Map config) {
if (config == null) return;
desensitizeUrlList(config, "mdsUrls");
desensitizeUrlList(config, "mdsInfos");
}

private static void desensitizeUrlList(Map config, String key) {
Object urls = config.get(key);
if (urls instanceof List) {
List<String> desensitized = new ArrayList<>();
for (Object url : (List) urls) {
desensitized.add(desensitizeUrl(String.valueOf(url)));
}
config.put(key, desensitized);
}
}

private static String desensitizeUrl(String url) {
int atIndex = url.lastIndexOf('@');
if (atIndex > 0) {
return "***" + url.substring(atIndex);
}
Comment on lines +91 to +95
Copy link

@coderabbitai coderabbitai bot Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

脱敏后丢失协议前缀,可能破坏兼容性。

当前逻辑会把 iscsi://user:pass@host 变成 ***@host,协议头丢失,容易影响依赖协议解析的客户端或历史行为。建议保留协议前缀,仅遮蔽凭据段。

🛠️ 保留协议前缀的修复建议 
 private static String desensitizeUrl(String url) {
     int atIndex = url.lastIndexOf('@');
     if (atIndex > 0) {
-        return "***" + url.substring(atIndex);
+        int schemeIndex = url.indexOf("://");
+        if (schemeIndex >= 0 && schemeIndex < atIndex) {
+            String prefix = url.substring(0, schemeIndex + 3);
+            return prefix + "***" + url.substring(atIndex);
+        }
+        return "***" + url.substring(atIndex);
     }
     return url;
 }
As per coding guidelines: “向后兼容原则:之前的代码产生的行为不要直接去改动…”
🤖 Prompt for AI Agents 
In
`@header/src/main/java/org/zstack/header/storage/addon/primary/ExternalPrimaryStorageInventory.java`
around lines 91 - 95, The desensitizeUrl method currently strips the protocol
(e.g., turning "iscsi://user:pass@host" into "***@host"); update desensitizeUrl
so it preserves the scheme/protocol prefix (everything up to and including
"://") and only masks the credentials portion before the '@' (replace credential
characters with "***" or similar) while keeping the rest of the URL intact;
locate and modify the desensitizeUrl method to detect the "://" delimiter and
the last '@' (using the existing atIndex logic) and build the returned string as
protocol + maskedCredentials + substring(from atIndex) so callers depending on
protocol parsing keep backward-compatible behavior.

return url;
}

public String getIdentity() {
return identity;
}
Expand Down