Skip to content

Commit 32e7957

Browse files
committed
Scrub secrets from process arguments
1 parent 7589805 commit 32e7957

File tree

3 files changed

+43
-17
lines changed

3 files changed

+43
-17
lines changed

instrumentation/resources/library/build.gradle.kts

+11
Original file line numberDiff line numberDiff line change
@@ -84,6 +84,17 @@ testing {
8484
}
8585

8686
tasks {
87+
test {
88+
dependsOn(jar)
89+
doFirst {
90+
// use test the final jar instead of directories with built classes to test the mrjar functionality
91+
classpath = jar.get().outputs.files + classpath
92+
}
93+
systemProperty("testSecret", "test")
94+
systemProperty("testPassword", "test")
95+
systemProperty("testNotRedacted", "test")
96+
}
97+
8798
check {
8899
dependsOn(testing.suites)
89100
}

instrumentation/resources/library/src/main/java/io/opentelemetry/instrumentation/resources/ProcessResource.java

+11-3
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@
1414
import java.lang.management.ManagementFactory;
1515
import java.lang.management.RuntimeMXBean;
1616
import java.util.ArrayList;
17-
import java.util.Arrays;
1817
import java.util.List;
1918
import java.util.Locale;
2019
import java.util.regex.Pattern;
@@ -35,6 +34,9 @@ public final class ProcessResource {
3534
// Important: This is statically used in buildResource, so must be declared/initialized first.
3635
private static final Pattern JAR_FILE_PATTERN =
3736
Pattern.compile("^\\S+\\.(jar|war)", Pattern.CASE_INSENSITIVE);
37+
// scrub values for system properties containing "secret" or "password" in the name
38+
private static final Pattern SCRUB_PATTERN =
39+
Pattern.compile("(-D.*(password|secret).*=).*", Pattern.CASE_INSENSITIVE);
3840

3941
private static final Resource INSTANCE = buildResource();
4042

@@ -94,12 +96,14 @@ private static Resource doBuildResource() {
9496
if (args.length > 0) {
9597
List<String> commandArgs = new ArrayList<>(args.length + 1);
9698
commandArgs.add(executablePath.toString());
97-
commandArgs.addAll(Arrays.asList(args));
99+
for (String arg : args) {
100+
commandArgs.add(scrub(arg));
101+
}
98102
attributes.put(PROCESS_COMMAND_ARGS, commandArgs);
99103
} else { // Java 8
100104
StringBuilder commandLine = new StringBuilder(executablePath);
101105
for (String arg : runtime.getInputArguments()) {
102-
commandLine.append(' ').append(arg);
106+
commandLine.append(' ').append(scrub(arg));
103107
}
104108
// sun.java.command isn't well document and may not be available on all systems.
105109
String javaCommand = System.getProperty("sun.java.command");
@@ -118,5 +122,9 @@ private static Resource doBuildResource() {
118122
return Resource.create(attributes.build(), SchemaUrls.V1_24_0);
119123
}
120124

125+
private static String scrub(String argument) {
126+
return SCRUB_PATTERN.matcher(argument).replaceFirst("$1***");
127+
}
128+
121129
private ProcessResource() {}
122130
}

instrumentation/resources/library/src/test/java/io/opentelemetry/instrumentation/resources/ProcessResourceTest.java

+21-14
Original file line numberDiff line numberDiff line change
@@ -19,32 +19,39 @@ class ProcessResourceTest {
1919
@Test
2020
@SetSystemProperty(key = "os.name", value = "Linux 4.12")
2121
void notWindows() {
22-
Resource resource = ProcessResource.buildResource();
23-
assertThat(resource.getSchemaUrl()).isEqualTo(SchemaUrls.V1_24_0);
24-
Attributes attributes = resource.getAttributes();
25-
26-
assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_PID)).isGreaterThan(1);
27-
assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
28-
.matches(".*[/\\\\]java");
29-
assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_LINE))
30-
.contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH));
31-
// With Java 9+ and a compiled jar, ResourceAttributes.PROCESS_COMMAND_ARGS
32-
// will be set instead of ResourceAttributes.PROCESS_COMMAND_LINE
22+
assertResource(false);
3323
}
3424

3525
@Test
3626
@SetSystemProperty(key = "os.name", value = "Windows 10")
3727
void windows() {
28+
assertResource(true);
29+
}
30+
31+
private static void assertResource(boolean windows) {
3832
Resource resource = ProcessResource.buildResource();
3933
assertThat(resource.getSchemaUrl()).isEqualTo(SchemaUrls.V1_24_0);
4034
Attributes attributes = resource.getAttributes();
4135

4236
assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_PID)).isGreaterThan(1);
4337
assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
44-
.matches(".*[/\\\\]java\\.exe");
45-
assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_LINE))
46-
.contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH));
38+
.matches(windows ? ".*[/\\\\]java\\.exe" : ".*[/\\\\]java");
39+
4740
// With Java 9+ and a compiled jar, ResourceAttributes.PROCESS_COMMAND_ARGS
4841
// will be set instead of ResourceAttributes.PROCESS_COMMAND_LINE
42+
boolean java8 = "1.8".equals(System.getProperty("java.specification.version"));
43+
if (java8) {
44+
assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_LINE))
45+
.contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
46+
.contains("-DtestSecret=***")
47+
.contains("-DtestPassword=***")
48+
.contains("-DtestNotRedacted=test");
49+
} else {
50+
assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_ARGS))
51+
.contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
52+
.contains("-DtestSecret=***")
53+
.contains("-DtestPassword=***")
54+
.contains("-DtestNotRedacted=test");
55+
}
4956
}
5057
}

0 commit comments

Comments
 (0)