supertokens · rishabhpoddar · Feb 6, 2024 · Jan 25, 2024 · Feb 1, 2024 · Feb 1, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [5.0.6] - 2024-01-25
+
+- Fixes the issue where passwords were inadvertently logged in the logs.
+
 ## [5.0.5] - 2023-12-06
 
 - Validates db config types in `canBeUsed` function

diff --git a/build.gradle b/build.gradle
@@ -2,7 +2,7 @@ plugins {
     id 'java-library'
 }
 
-version = "5.0.5"
+version = "5.0.6"
 
 repositories {
     mavenCentral()

diff --git a/src/main/java/io/supertokens/storage/mysql/config/MySQLConfig.java b/src/main/java/io/supertokens/storage/mysql/config/MySQLConfig.java
@@ -509,10 +509,18 @@ public String getConnectionPoolId() {
         StringBuilder connectionPoolId = new StringBuilder();
         for (Field field : MySQLConfig.class.getDeclaredFields()) {
             if (field.isAnnotationPresent(ConnectionPoolProperty.class)) {
-                connectionPoolId.append("|");
                 try {
-                    if (field.get(this) != null) {
-                        connectionPoolId.append(field.get(this).toString());
+                    String fieldName = field.getName();
+                    String fieldValue = field.get(this) != null ? field.get(this).toString() : null;
+                    if(fieldValue == null) {
+                        continue;
+                    }
+                    // To ensure a unique connectionPoolId we include the database password and use the "|db_pass|" identifier.
+                    // This facilitates easy removal of the password from logs when necessary.
+                    if (fieldName.equals("mysql_password")) {
+                        connectionPoolId.append("|db_pass|" + fieldValue + "|db_pass");
+                    } else {
+                        connectionPoolId.append("|" + fieldValue);
                     }
                 } catch (IllegalAccessException e) {
                     throw new RuntimeException(e);

diff --git a/src/main/java/io/supertokens/storage/mysql/output/CustomLayout.java b/src/main/java/io/supertokens/storage/mysql/output/CustomLayout.java
@@ -25,6 +25,8 @@
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.util.Date;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 class CustomLayout extends LayoutBase<ILoggingEvent> {
 
@@ -35,6 +37,21 @@ class CustomLayout extends LayoutBase<ILoggingEvent> {
         this.processID = processID;
     }
 
+    public static String maskDBPassword(String log) {
+        String regex = "(\\|db_pass\\|)(.*?)(\\|db_pass\\|)";
+
+        Matcher matcher = Pattern.compile(regex).matcher(log);
+        StringBuffer maskedLog = new StringBuffer();
+
+        while (matcher.find()) {
+            String maskedPassword = "*".repeat(8);
+            matcher.appendReplacement(maskedLog, "|" + maskedPassword + "|");
+        }
+
+        matcher.appendTail(maskedLog);
+        return maskedLog.toString();
+    }
+
     @Override
     public String doLayout(ILoggingEvent event) {
         StringBuilder sbuf = new StringBuilder();
@@ -58,7 +75,7 @@ public String doLayout(ILoggingEvent event) {
         sbuf.append(event.getCallerData()[1]);
         sbuf.append(" | ");
 
-        sbuf.append(event.getFormattedMessage());
+        sbuf.append(maskDBPassword(event.getFormattedMessage()));
         sbuf.append(CoreConstants.LINE_SEPARATOR);
         sbuf.append(CoreConstants.LINE_SEPARATOR);
 

diff --git a/src/test/java/io/supertokens/storage/mysql/test/LoggingTest.java b/src/test/java/io/supertokens/storage/mysql/test/LoggingTest.java
@@ -21,6 +21,8 @@
 import ch.qos.logback.classic.spi.ILoggingEvent;
 import ch.qos.logback.core.Appender;
 import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
 import io.supertokens.ProcessState;
 import io.supertokens.config.Config;
 import io.supertokens.featureflag.EE_FEATURES;
@@ -308,6 +310,190 @@ public void confirmHikariLoggerClosedOnlyWhenProcessEnds() throws Exception {
         assertFalse(hikariLogger.iteratorForAppenders().hasNext());
     }
 
+    @Test
+    public void testDBPasswordMaskingOnDBConnectionFailUsingConnectionUri() throws Exception {
+        StorageLayer.close();
+        String[] args = { "../" };
+
+        String dbUser = "db_user";
+        String dbPassword = "db_password";
+        String dbName = "db_does_not_exist";
+        String dbConnectionUri = "mysql://" + dbUser + ":" + dbPassword + "@localhost:3306/" + dbName;
+
+        Utils.setValueInConfig("mysql_connection_uri", dbConnectionUri);
+        Utils.commentConfigValue("mysql_user");
+        Utils.commentConfigValue("mysql_password");
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+
+        process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.INIT_FAILURE);
+
+        File errorLog = new File(Config.getConfig(process.getProcess()).getErrorLogPath(process.getProcess()));
+
+        boolean dbPasswordMaskedInErrorLog = false;
+
+        try (Scanner errorScanner = new Scanner(errorLog, StandardCharsets.UTF_8)) {
+            while (errorScanner.hasNextLine()) {
+                String line = errorScanner.nextLine();
+                if(line.contains(dbName) && line.contains(dbUser) && !line.contains(dbPassword) && line.contains("********")){
+                    dbPasswordMaskedInErrorLog = true;
+                    break;
+                }
+            }
+        }
+
+        assertTrue(dbPasswordMaskedInErrorLog);
+        process.kill();
+
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testDBPasswordMaskingOnDBConnectionFailUsingCredentials() throws Exception {
+        StorageLayer.close();
+        String[] args = { "../" };
+
+        String dbUser = "db_user";
+        String dbPassword = "db_password";
+        String dbName = "db_does_not_exist";
+
+        Utils.setValueInConfig("mysql_user", dbUser);
+        Utils.setValueInConfig("mysql_password", dbPassword);
+        Utils.setValueInConfig("mysql_database_name", dbName);
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+
+        process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.INIT_FAILURE);
+
+        File errorLog = new File(Config.getConfig(process.getProcess()).getErrorLogPath(process.getProcess()));
+
+        boolean dbPasswordMaskedInErrorLog = false;
+
+        try (Scanner errorScanner = new Scanner(errorLog, StandardCharsets.UTF_8)) {
+            while (errorScanner.hasNextLine()) {
+                String line = errorScanner.nextLine();
+                if(line.contains(dbName) && line.contains(dbUser) && !line.contains(dbPassword) && line.contains("********")){
+                    dbPasswordMaskedInErrorLog = true;
+                    break;
+                }
+            }
+        }
+
+        assertTrue(dbPasswordMaskedInErrorLog);
+        process.kill();
+
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testDBPasswordMaskingOnDBConnectionFailWhenCreatingTenant() throws Exception {
+        StorageLayer.close();
+        String[] args = { "../" };
+
+        String dbUser = "db_user";
+        String dbPassword = "db_password";
+        String dbName = "db_does_not_exist";
+        String dbConnectionUri = "mysql://" + dbUser + ":" + dbPassword + "@localhost:3306/" + dbName;
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Main main = process.getProcess();
+
+        FeatureFlagTestContent.getInstance(main)
+        .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{
+                EE_FEATURES.ACCOUNT_LINKING, EE_FEATURES.MULTI_TENANCY});
+
+        process.startProcess();
+
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        JsonObject config = new JsonObject();
+        TenantIdentifier tenantIdentifier = new TenantIdentifier(null, "a1", null);
+
+        config.addProperty("mysql_connection_uri", dbConnectionUri);
+        StorageLayer.getStorage(new TenantIdentifier(null, null, null), main)
+                .modifyConfigToAddANewUserPoolForTesting(config, 1);
+
+        try {
+            Multitenancy.addNewOrUpdateAppOrTenant(
+                    main,
+                    new TenantIdentifier(null, null, null),
+                    new TenantConfig(
+                            tenantIdentifier,
+                            new EmailPasswordConfig(true),
+                            new ThirdPartyConfig(true, null),
+                            new PasswordlessConfig(true),
+                            config
+                    )
+            );
+
+        } catch (Exception e) {
+
+        }
+
+        File errorLog = new File(Config.getConfig(main).getErrorLogPath(main));
+
+        boolean dbPasswordMaskedInErrorLog = false;
+
+        try (Scanner errorScanner = new Scanner(errorLog, StandardCharsets.UTF_8)) {
+            while (errorScanner.hasNextLine()) {
+                String line = errorScanner.nextLine();
+                System.out.println("line: " + line);
+                if(line.contains(dbName) && line.contains(dbUser) && !line.contains(dbPassword) && line.contains("********")){
+                    dbPasswordMaskedInErrorLog = true;
+                    break;
+                }
+            }
+        }
+
+        assertTrue(dbPasswordMaskedInErrorLog);
+        process.kill();
+
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testDBPasswordMasking() throws Exception {
+        StorageLayer.close();
+        String[] args = { "../" };
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        File infoLog = new File(Config.getConfig(process.getProcess()).getInfoLogPath(process.getProcess()));
+        File errorLog = new File(Config.getConfig(process.getProcess()).getErrorLogPath(process.getProcess()));
+
+        Logging.error((Start) StorageLayer.getStorage(process.getProcess()), "ERROR LOG: |db_pass|password|db_pass|", false);
+        Logging.info((Start) StorageLayer.getStorage(process.getProcess()), "INFO LOG: |db_pass|password|db_pass|", true);
+
+        boolean dbPasswordMaskedInInfoLog = false;
+        boolean dbPasswordMaskedInErrorLog = false;
+
+        try (Scanner scanner = new Scanner(infoLog, StandardCharsets.UTF_8)) {
+            while (scanner.hasNextLine()) {
+                String line = scanner.nextLine();
+                if(line.contains("INFO LOG") && line.contains("INFO LOG: |********|")) {
+                    dbPasswordMaskedInInfoLog = true;
+                    break;
+                }
+            }
+        }
+
+        try (Scanner errorScanner = new Scanner(errorLog, StandardCharsets.UTF_8)) {
+            while (errorScanner.hasNextLine()) {
+                String line = errorScanner.nextLine();
+                if(line.contains("ERROR LOG") && line.contains("ERROR LOG: |********|")) {
+                    dbPasswordMaskedInErrorLog = true;
+                    break;
+                }
+            }
+        }
+
+        assertTrue(dbPasswordMaskedInInfoLog && dbPasswordMaskedInErrorLog);
+        process.kill();
+
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
     private static int countAppenders(ch.qos.logback.classic.Logger logger) {
         int count = 0;
         Iterator<Appender<ILoggingEvent>> appenderIter = logger.iteratorForAppenders();