redact 'token' strings from logging (#16764)

It's common for users to set 'TOKEN' as an env var. While this is a little like whack-a-mole and we can't cover everything, this seems like a common string to redact. Closes #16622. PiperOrigin-RevId: 488392632 Change-Id: I7b48199cc140d6736cd145df63e03eeda747c7fb (cherry picked from commit 1940c5d) Co-authored-by: Matt Mackay <mattem@gmail.com>
bazelbuild · Nov 14, 2022 · c3e2b98 · c3e2b98
1 parent 3bda5c9
commit c3e2b98
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/src/main/java/com/google/devtools/build/lib/runtime/SafeRequestLogging.java b/src/main/java/com/google/devtools/build/lib/runtime/SafeRequestLogging.java
@@ -21,14 +21,15 @@
 /** Utils for logging safely user commandlines. */
 public class SafeRequestLogging {
   private static final Pattern suppressFromLog =
-      Pattern.compile("--client_env=([^=]*(?:auth|pass|cookie)[^=]*)=", Pattern.CASE_INSENSITIVE);
+      Pattern.compile(
+          "--client_env=([^=]*(?:auth|pass|cookie|token)[^=]*)=", Pattern.CASE_INSENSITIVE);
 
   private SafeRequestLogging() {}
 
   /**
    * Generates a string form of a request to be written to the logs, filtering the user environment
    * to remove anything that looks private. The current filter criteria removes any variable whose
-   * name includes "auth", "pass", or "cookie".
+   * name includes "auth", "pass", "cookie" or "token".
    *
    * @return the filtered request to write to the log.
    */

diff --git a/src/test/java/com/google/devtools/build/lib/runtime/SafeRequestLoggingTest.java b/src/test/java/com/google/devtools/build/lib/runtime/SafeRequestLoggingTest.java
@@ -69,6 +69,16 @@ public void testGetRequestLogStringStripsApparentPasswordValues() {
             "[--client_env=dont_paSS_ME=__private_value_removed__, --client_env=other=isprinted]");
   }
 
+  @Test
+  public void testGetRequestLogStringStripsApparentTokenValues() {
+    assertThat(
+            SafeRequestLogging.getRequestLogString(
+                ImmutableList.of(
+                    "--client_env=service_ToKEn=notprinted", "--client_env=other=isprinted")))
+        .isEqualTo(
+            "[--client_env=service_ToKEn=__private_value_removed__, --client_env=other=isprinted]");
+  }
+
   @Test
   public void testGetRequestLogIgnoresSensitiveTermsInValues() {
     assertThat(SafeRequestLogging.getRequestLogString(ImmutableList.of("--client_env=ok=COOKIE")))