From 0790674c14f76be7fb7ab805ab3673f8143432a5 Mon Sep 17 00:00:00 2001
From: Charlie Lewis <clewis@iqt.org>
Date: Wed, 3 Mar 2021 06:06:31 -0800
Subject: [PATCH] mask mongo credentials when logging (#827)

---
 lib/dbi/ogs-mongoc.c | 32 +++++++++++++++++++++++++++++---
 lib/dbi/ogs-mongoc.h |  1 +
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/lib/dbi/ogs-mongoc.c b/lib/dbi/ogs-mongoc.c
index 1e5c3b524b..c5dd870145 100644
--- a/lib/dbi/ogs-mongoc.c
+++ b/lib/dbi/ogs-mongoc.c
@@ -20,9 +20,11 @@
 #include <mongoc.h>
 
 #include "ogs-dbi.h"
+#include <string.h>
 
 int __ogs_dbi_domain;
 
+static char masked_db_uri[255];
 static ogs_mongoc_t self;
 
 /*
@@ -48,6 +50,30 @@ ogs_mongoc_mongoc_client_get_server_status (mongoc_client_t *client, /* IN */
    return ret;
 }
 
+const char* ogs_mask_db_uri(const char *db_uri)
+{
+    bzero(masked_db_uri, sizeof(masked_db_uri));
+    if (strnlen(db_uri, sizeof(masked_db_uri)) == sizeof(masked_db_uri)) {
+        return db_uri;
+    }
+
+    char *token = strtok((char *)db_uri, "@");
+    if (strlen(token) > 1) {
+        strcpy((char *)masked_db_uri, "mongodb://*****:*****@");
+        while (token != NULL) {
+            token = strtok(NULL, "@");
+            if (token != NULL) {
+                strcat((char *)masked_db_uri, token);
+            }
+        }
+    } else {
+        // no credentials provided, no need to mask anything
+        return db_uri;
+    }
+
+    return masked_db_uri;
+}
+
 int ogs_mongoc_init(const char *db_uri)
 {
     bson_t reply;
@@ -69,7 +95,7 @@ int ogs_mongoc_init(const char *db_uri)
 
     self.client = mongoc_client_new(db_uri);
     if (!self.client) {
-        ogs_error("Failed to parse DB URI [%s]", db_uri);
+        ogs_error("Failed to parse DB URI [%s]", ogs_mask_db_uri(db_uri));
         return OGS_ERROR;
     }
 
@@ -88,7 +114,7 @@ int ogs_mongoc_init(const char *db_uri)
 
     if (!ogs_mongoc_mongoc_client_get_server_status(
                 self.client, NULL, &reply, &error)) {
-        ogs_warn("Failed to connect to server [%s]", db_uri);
+        ogs_warn("Failed to connect to server [%s]", ogs_mask_db_uri(db_uri));
         return OGS_RETRY;
     }
 
@@ -96,7 +122,7 @@ int ogs_mongoc_init(const char *db_uri)
 
     bson_destroy(&reply);
 
-    ogs_info("MongoDB URI: '%s'", db_uri);
+    ogs_info("MongoDB URI: '%s'", ogs_mask_db_uri(db_uri));
 
     return OGS_OK;
 }
diff --git a/lib/dbi/ogs-mongoc.h b/lib/dbi/ogs-mongoc.h
index 3c80c8b8c6..8b2808324c 100644
--- a/lib/dbi/ogs-mongoc.h
+++ b/lib/dbi/ogs-mongoc.h
@@ -42,6 +42,7 @@ typedef struct ogs_mongoc_s {
     } collection;
 } ogs_mongoc_t;
 
+const char* ogs_mask_db_uri(const char *db_uri);
 int ogs_mongoc_init(const char *db_uri);
 void ogs_mongoc_final(void);
 ogs_mongoc_t *ogs_mongoc(void);