fix(oxauth): Plaintext passwords logged from TokenRestWebServiceImpl …

…with DEBUG log level #1910
GluuFederation · Aug 26, 2024 · cd0767a · cd0767a
1 parent 07af0b7
commit cd0767a
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/Server/src/main/java/org/gluu/oxauth/util/ServerUtil.java b/Server/src/main/java/org/gluu/oxauth/util/ServerUtil.java
@@ -66,6 +66,9 @@ public static Map<String, String[]> prepareForLogs(Map<String, String[]> paramet
         if (result.containsKey("client_secret")) {
             result.put("client_secret", new String[] {"*****"});
         }
+        if (result.containsKey("password")) {
+            result.put("password", new String[] {"*****"});
+        }
         return result;
     }
 

diff --git a/Server/src/test/java/org/gluu/oxauth/util/ServerUtilTest.java b/Server/src/test/java/org/gluu/oxauth/util/ServerUtilTest.java
@@ -21,4 +21,14 @@ public void prepareForLogs_whenCalled_shouldNotHaveClearTextClientPassword() {
 
         assertEquals("*****", result.get("client_secret")[0]);
     }
+
+    @Test
+    public void prepareForLogs_whenCalled_shouldNotHaveClearTextPassword() {
+        Map<String, String[]> parameters = new HashMap<>();
+        parameters.put("password", new String[] {"124"});
+
+        final Map<String, String[]> result = ServerUtil.prepareForLogs(parameters);
+
+        assertEquals("*****", result.get("password")[0]);
+    }
 }