Skip to content

fix that log sensitive infomation in cmd of script #12024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: 4.20
Choose a base branch
from
Open

fix that log sensitive infomation in cmd of script #12024

wants to merge 9 commits into from

Conversation

@YLChen-007
Copy link

@YLChen-007 YLChen-007 commented Nov 8, 2025

Description

This PR fixes that log sensitive infomation in cmd of cloud.utils.script.Script. #12005

@codecov
Copy link

codecov bot commented Nov 8, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 69.09091% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.18%. Comparing base (e90e436) to head (45a66f0).
⚠️ Report is 7 commits behind head on 4.20.

Files with missing lines Patch % Lines
...s/src/main/java/com/cloud/utils/script/Script.java 66.66% 16 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               4.20   #12024      +/-   ##
============================================
- Coverage     16.18%   16.18%   -0.01%     
+ Complexity    13305    13303       -2     
============================================
  Files          5657     5657              
  Lines        498466   498485      +19     
  Branches      60491    60491              
============================================
- Hits          80696    80677      -19     
- Misses       408789   408828      +39     
+ Partials       8981     8980       -1
Flag Coverage Δ
uitests 4.00% <ø> (ø)
unittests 17.03% <69.09%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@DaanHoogland
Copy link
Contributor

DaanHoogland commented Nov 10, 2025

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Nov 10, 2025

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

@blueorangutan
Copy link

blueorangutan commented Nov 10, 2025

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15701

@DaanHoogland
Copy link
Contributor

DaanHoogland commented Nov 10, 2025

@blueorangutan test

@blueorangutan
Copy link

blueorangutan commented Nov 10, 2025

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

@blueorangutan
Copy link

blueorangutan commented Nov 11, 2025

[SF] Trillian test result (tid-14794)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 48295 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12024-t14794-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_create_pvlan_network Error 0.09 test_pvlan.py

@DaanHoogland DaanHoogland requested review from Copilot, shwstppr and sureshanaparti and removed request for Copilot and sureshanaparti November 11, 2025 08:54
Copilot AI reviewed Nov 11, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a security issue where sensitive information (such as passwords) was being logged in plain text within the Script class. The fix introduces a new addSensitive() method to mark specific command arguments as sensitive, ensuring they are masked with "******" in logs and command-line representations.

Key changes:

  • Added sensitiveArgIndices Set to track which arguments contain sensitive data
  • Implemented addSensitive() method for explicitly marking sensitive arguments
  • Updated all logging statements throughout the execute() methods to conditionally log sanitized messages when sensitive arguments are present

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 13 comments.

File Description
Script.java Core implementation adding sensitive argument tracking and comprehensive logging changes to mask sensitive data
ScriptTest.java Test cases validating that sensitive arguments are properly masked in command-line output
LibvirtUpdateHostPasswordCommandWrapper.java Updated to use addSensitive() for password arguments
CitrixUpdateHostPasswordCommandWrapper.java Updated logging to mask password in debug output

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@DaanHoogland DaanHoogland requested a review from Copilot November 11, 2025 14:37
Copilot AI reviewed Nov 11, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@DaanHoogland
Copy link
Contributor

DaanHoogland commented Nov 12, 2025

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Nov 12, 2025

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

@apache apache deleted a comment from blueorangutan Nov 12, 2025
@DaanHoogland DaanHoogland linked an issue Nov 12, 2025 that may be closed by this pull request
Security: Inadequate Password Masking in Script Execution Framework Exposes Credentials Across Multiple Log Levels #12005
Open
@DaanHoogland
Copy link
Contributor

DaanHoogland commented Nov 12, 2025

@YLChen-007 ,

09:03:01 [ERROR] /jenkins/workspace/acs-centos8-pkg-builder/dist/rpmbuild/BUILD/cloudstack-4.20.3.0-SNAPSHOT/utils/src/main/java/com/cloud/utils/script/Script.java:47:8: Unused import - org.apache.cloudstack.utils.security.KeyStoreUtils. [UnusedImports]

@YLChen-007
Copy link
Author

YLChen-007 commented Nov 12, 2025

@YLChen-007 ,

09:03:01 [ERROR] /jenkins/workspace/acs-centos8-pkg-builder/dist/rpmbuild/BUILD/cloudstack-4.20.3.0-SNAPSHOT/utils/src/main/java/com/cloud/utils/script/Script.java:47:8: Unused import - org.apache.cloudstack.utils.security.KeyStoreUtils. [UnusedImports]

I will delete this import.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shwstppr shwstppr Awaiting requested review from shwstppr

@sureshanaparti sureshanaparti Awaiting requested review from sureshanaparti

Assignees

No one assigned

Labels

component:kvm component:XenServer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Inadequate Password Masking in Script Execution Framework Exposes Credentials Across Multiple Log Levels

3 participants

@YLChen-007 @DaanHoogland @blueorangutan