Fix issue #71: redact sensitive connection properties in CassandraConnection.toString()

maximevw · maximevw · commit 06b94449fcfc · 2024-09-04T20:35:41.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to 
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.13.1] - 2024-09-04
+### Fixed
+- Fix implementation of `CassandraConnection.toString()` to not leak connection password (see issue 
+  [#71](https://github.com/ing-bank/cassandra-jdbc-wrapper/issues/71)).
+
 ## [4.13.0] - 2024-07-27
 ### Added
 - Add support for switching execution profiles.
@@ -294,6 +299,7 @@ For this version, the changelog lists the main changes comparatively to the late
 - Fix logs in `CassandraConnection` constructor.
 
 [original project]: https://github.com/adejanovski/cassandra-jdbc-wrapper/
+[4.13.1]: https://github.com/ing-bank/cassandra-jdbc-wrapper/compare/v4.13.0...v4.13.1
 [4.13.0]: https://github.com/ing-bank/cassandra-jdbc-wrapper/compare/v4.12.0...v4.13.0
 [4.12.0]: https://github.com/ing-bank/cassandra-jdbc-wrapper/compare/v4.11.1...v4.12.0
 [4.11.1]: https://github.com/ing-bank/cassandra-jdbc-wrapper/compare/v4.11.0...v4.11.1
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
 
 	<groupId>com.ing.data</groupId>
 	<artifactId>cassandra-jdbc-wrapper</artifactId>
-    <version>4.13.0</version>
+    <version>4.13.1</version>
 	<packaging>jar</packaging>
 
     <name>Cassandra JDBC Wrapper</name>
diff --git a/src/main/java/com/ing/data/cassandra/jdbc/CassandraConnection.java b/src/main/java/com/ing/data/cassandra/jdbc/CassandraConnection.java
@@ -67,6 +67,7 @@
 import static com.ing.data.cassandra.jdbc.CassandraResultSet.DEFAULT_CONCURRENCY;
 import static com.ing.data.cassandra.jdbc.CassandraResultSet.DEFAULT_HOLDABILITY;
 import static com.ing.data.cassandra.jdbc.CassandraResultSet.DEFAULT_TYPE;
+import static com.ing.data.cassandra.jdbc.utils.DriverUtil.toStringWithoutSensitiveValues;
 import static com.ing.data.cassandra.jdbc.utils.ErrorConstants.ALWAYS_AUTOCOMMIT;
 import static com.ing.data.cassandra.jdbc.utils.ErrorConstants.BAD_TIMEOUT;
 import static com.ing.data.cassandra.jdbc.utils.ErrorConstants.INVALID_FETCH_SIZE_PARAMETER;
@@ -603,7 +604,8 @@ protected boolean removeStatement(final Statement statement) {
 
     @Override
     public String toString() {
-        return "CassandraConnection [connectionProperties=" + this.connectionProperties + "]";
+        return String.format("CassandraConnection [connectionProperties=%s]",
+            toStringWithoutSensitiveValues(this.connectionProperties));
     }
 
     /**
diff --git a/src/main/java/com/ing/data/cassandra/jdbc/utils/DriverUtil.java b/src/main/java/com/ing/data/cassandra/jdbc/utils/DriverUtil.java
@@ -30,6 +30,8 @@
 import java.util.Properties;
 import java.util.stream.Collectors;
 
+import static com.ing.data.cassandra.jdbc.utils.JdbcUrlUtil.TAG_PASSWORD;
+
 /**
  * A set of static utility methods and constants used by the JDBC driver.
  */
@@ -186,4 +188,19 @@ public static DriverPropertyInfo buildPropertyInfo(final String propertyName, fi
         return propertyInfo;
     }
 
+    /**
+     * Returns a string representation of the provided driver properties with redacted values for sensitive properties
+     * such as passwords.
+     *
+     * @param properties The driver properties.
+     * @return The string representation of the properties, without sensitive values.
+     */
+    public static String toStringWithoutSensitiveValues(final Properties properties) {
+        final Properties withRedactedSensitiveValues = (Properties) properties.clone();
+        if (withRedactedSensitiveValues.containsKey(TAG_PASSWORD)) {
+            withRedactedSensitiveValues.setProperty(TAG_PASSWORD, "***");
+        }
+        return withRedactedSensitiveValues.toString();
+    }
+
 }
diff --git a/src/test/java/com/ing/data/cassandra/jdbc/ConnectionUnitTest.java b/src/test/java/com/ing/data/cassandra/jdbc/ConnectionUnitTest.java
@@ -67,6 +67,7 @@
 import static com.ing.data.cassandra.jdbc.utils.ErrorConstants.SSL_CONFIG_FAILED;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.instanceOf;
+import static org.hamcrest.Matchers.matchesPattern;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
@@ -627,4 +628,14 @@ void givenCassandraConnectionWithCustomExecProfile_whenExecuteStatement_useExpec
         assertEquals(customProfileName, executedStmt.getExecutionProfile().getName());
     }
 
+    @Test
+    void givenCassandraConnection_whenToString_returnExpectedString() throws Exception {
+        initConnection(KEYSPACE, "password=cassandra", "localdatacenter=datacenter1");
+        assertNotNull(sqlConnection);
+        assertThat(sqlConnection.toString(),
+            matchesPattern("CassandraConnection \\[connectionProperties=\\{password=\\*\\*\\*, "
+                + "localDatacenter=datacenter1, databaseName=system, contactPoints=\\[localhost:\\d+]}]")
+            );
+    }
+
 }
