From: Marcin Haba <marcin.haba@bacula.pl>
Date: Fri, 12 Jan 2024 09:17:03 +0000 (+0100)
Subject: baculum: Mask sensitive AWS data in debug log
X-Git-Tag: Beta-15.0.1~69
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b742a39304825beea82e08fe4b3bd3f8d397b74;p=thirdparty%2Fbacula.git

baculum: Mask sensitive AWS data in debug log
---

diff --git a/gui/baculum/protected/API/Modules/AWSCliTool.php b/gui/baculum/protected/API/Modules/AWSCliTool.php
index d450eb0a1..a8fcdb1d4 100644
--- a/gui/baculum/protected/API/Modules/AWSCliTool.php
+++ b/gui/baculum/protected/API/Modules/AWSCliTool.php
@@ -166,14 +166,26 @@ class AWSCliTool extends APIModule {
 		$sudo = $this->getSudo($use_sudo);
 		$cmd = $this->getCmd($sudo, $bin, $params);
 		exec($cmd, $output, $exitcode);
+		$cmd_s = self::stripOutput([$cmd]);
 		$this->getModule('logging')->log(
 			Logging::CATEGORY_EXECUTE,
-			Logging::prepareOutput($cmd, $output)
+			Logging::prepareOutput(
+				implode('', $cmd_s),
+				$output
+			)
 		);
 		$result = $this->prepareResult($output, $exitcode);
 		return $result;
 	}
 
+	private static function stripOutput(array $output) {
+		for ($i = 0; $i < count($output); $i++) {
+			$output[$i] = preg_replace('/AWS_ACCESS_KEY_ID="(\w)+?"/', 'AWS_ACCESS_KEY_ID="xxxxxxxxxx"', $output[$i]);
+			$output[$i] = preg_replace('/AWS_SECRET_ACCESS_KEY="([\s\S])+?"/', 'AWS_SECRET_ACCESS_KEY="xxxxxxxxxx"', $output[$i]);
+		}
+		return $output;
+	}
+
 	/**
 	 * Get AWS CLi tool command.
 	 *