fix(security): replace passwords whereever they could be used for output

KaiSchwarz-cnic · KaiSchwarz-cnic · commit 65860abdfe8d · 2020-04-28T16:55:54.000+02:00
diff --git a/src/main/java/net/hexonet/apiconnector/APIClient.java b/src/main/java/net/hexonet/apiconnector/APIClient.java
@@ -84,15 +84,31 @@ public APIClient disableDebugMode() {
         return this;
     }
 
+    /**
+     * Method to use to encode data before sending it to the API Server
+     * 
+     * @param cmd The command to request
+     * @return
+     */
+    public String getPOSTData(Map<String, String> cmd) {
+        return this.getPOSTData(cmd, false);
+    }
 
     /**
      * Method to use to encode data before sending it to the API server
      * 
-     * @param cmd The command to request
+     * @param cmd     The command to request
+     * @param secured if password data shall be secured for output purposes
      * @return the ready to use, encoded request payload
      */
-    public String getPOSTData(Map<String, String> cmd) {
-        StringBuilder data = new StringBuilder(this.socketConfig.getPOSTData());
+    public String getPOSTData(Map<String, String> cmd, boolean secured) {
+        String pd;
+        if (secured) {
+            pd = this.socketConfig.getPOSTData().replaceAll("s_pw=[^&]+", "s_pw=***");
+        } else {
+            pd = this.socketConfig.getPOSTData();
+        }
+        StringBuilder data = new StringBuilder(pd);
         try {
             StringBuilder tmp = new StringBuilder("");
             Iterator<Map.Entry<String, String>> it = cmd.entrySet().iterator();
@@ -113,9 +129,10 @@ public String getPOSTData(Map<String, String> cmd) {
                     }
                 }
             }
+            pd = tmp.toString().replaceAll("PASSWORD=[^\n]+", "PASSWORD=***");
             data.append(URLEncoder.encode("s_command", "UTF-8"));
             data.append("=");
-            data.append(URLEncoder.encode(tmp.toString(), "UTF-8").replace("*", "%2A"));
+            data.append(URLEncoder.encode(pd, "UTF-8").replace("*", "%2A"));
             return data.toString();
         } catch (UnsupportedEncodingException e) {
             return "";
@@ -431,6 +448,7 @@ public Response request(Map<String, Object> cmd) {
 
         // request command to API
         String data = this.getPOSTData(newcmd);
+        String secured = this.getPOSTData(newcmd, true);
 
         StringBuilder response;
         try {
@@ -480,7 +498,7 @@ public Response request(Map<String, Object> cmd) {
         }
         Response r = new Response(response.toString(), newcmd);
         if (this.debugMode) {
-            System.out.println(data);
+            System.out.println(secured);
             System.out.println(newcmd);
             System.out.println(r.getPlain());
         }
diff --git a/src/main/java/net/hexonet/apiconnector/Response.java b/src/main/java/net/hexonet/apiconnector/Response.java
@@ -45,6 +45,9 @@ public class Response extends ResponseTemplate {
     public Response(String raw, Map<String, String> cmd) {
         super(raw);
         this.command = new HashMap<String, String>(cmd);
+        if (this.command.containsKey("PASSWORD")) { // make password no longer accessible
+            this.command.replace("PASSWORD", "***");
+        }
         this.columnkeys = new ArrayList<String>();
         this.columns = new ArrayList<Column>();
         this.recordIndex = 0;
diff --git a/src/test/java/net/hexonet/apiconnector/APIClientTest.java b/src/test/java/net/hexonet/apiconnector/APIClientTest.java
@@ -43,6 +43,23 @@ public void getPOSTData2() {
         assertEquals(validate, enc);
     }
 
+    /**
+     * Test getPOSTData method #3
+     */
+    @Test
+    public void getPOSTDataSecured() {
+        APIClient cl = new APIClient();
+        cl.setCredentials("test.user", "test.passw0rd");
+        Map<String, String> cmd = new HashMap<String, String>();
+        cmd.put("COMMAND", "CheckAuthentication");
+        cmd.put("SUBUSER", "test.user");
+        cmd.put("PASSWORD", "test.passw0rd");
+        String enc = cl.getPOSTData(cmd, true);
+        String str =
+                "s_entity=54cd&s_login=test.user&s_pw=***&s_command=SUBUSER%3Dtest.user%0APASSWORD%3D%2A%2A%2A%0ACOMMAND%3DCheckAuthentication";
+        assertEquals(str, enc);
+    }
+
     /**
      * Test enableDebugMode method
      */
diff --git a/src/test/java/net/hexonet/apiconnector/ResponseTest.java b/src/test/java/net/hexonet/apiconnector/ResponseTest.java
@@ -21,8 +21,6 @@ public class ResponseTest {
      */
     @Test
     public void getCommandPlain() {
-        // ensure no vars are returned in response, just in case no place holder replacements are
-        // provided
         Map<String, String> cmd = new HashMap<String, String>();
         cmd.put("COMMAND", "QueryDomainOptions");
         cmd.put("DOMAIN0", "example.com");
@@ -32,6 +30,20 @@ public void getCommandPlain() {
         assertEquals(str, r.getCommandPlain());
     }
 
+    /**
+     * Test getCommandPlain method: secured passwords
+     */
+    @Test
+    public void getCommandPlainSecure() {
+        Map<String, String> cmd = new HashMap<String, String>();
+        cmd.put("COMMAND", "CheckAuthentication");
+        cmd.put("SUBUSER", "test.user");
+        cmd.put("PASSWORD", "test.passw0rd");
+        Response r = new Response("", cmd);
+        String str = "SUBUSER = test.user\nCOMMAND = CheckAuthentication\nPASSWORD = ***\n";
+        assertEquals(str, r.getCommandPlain());
+    }
+
     /**
      * Test getCurrentPageNumber method #1
      */
