• Home
• org.owasp
• security-logging-log4j
• 1.1.0
• source code
• MaskingRewritePolicy.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.owasp.security.logging.log4j.mask.MaskingRewritePolicy Maven / Gradle / Ivy

/*
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.owasp.security.logging.log4j.mask;

import org.apache.logging.log4j.Marker;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.appender.rewrite.RewritePolicy;
import org.apache.logging.log4j.core.config.plugins.Plugin;
import org.apache.logging.log4j.core.impl.Log4jLogEvent;
import org.apache.logging.log4j.message.Message;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.logging.slf4j.Log4jMarker;
import org.owasp.security.logging.SecurityMarkers;

/**
 *
 * @author adetlefsen
 */
@Plugin(name = "MaskingRewritePolicy", category = "Core", elementType = "rewritePolicy", printObject = true)
public class MaskingRewritePolicy implements RewritePolicy {

    /**
     * Rewrite the event.
     * @param source a logging event that may be returned or
     * used to create a new logging event.
     * @return The LogEvent after rewriting.
     */
    public LogEvent rewrite(LogEvent source) {
        //get the markers for the log event. If no markers, nothing cn be tagged confidential and we can return
        Marker sourceMarker = source.getMarker();
        if (sourceMarker == null) return source;
        
        //get the message. If no message we can return
        final Message msg = source.getMessage();
        if (msg == null || !(msg instanceof ParameterizedMessage)) return source;
        
        //get the parameters. If no params we can return 
        Object[] params = msg.getParameters();
        if (params == null || params.length == 0) return source;
        
        //check if this event is actually marked as confidential. If not, return
        org.apache.logging.slf4j.Log4jMarker eventMarker = new Log4jMarker(sourceMarker);
        if (!eventMarker.contains(SecurityMarkers.CONFIDENTIAL)) return source;
        
        //we have a message, parameters, a marker, and it is confidential. Process
        for (int i = 0; i < params.length; i++) {
            String arg = params[i].toString();
            arg = arg.replaceAll(".", "*");
            params[i] = arg;
        }
        
        Message outMessage = new ParameterizedMessage(msg.getFormat(), params, msg.getThrowable());
        LogEvent output = new Log4jLogEvent(source.getLoggerName(), source.getMarker(), source.getLoggerFqcn(), source.getLevel(),
            outMessage, source.getThrown(), source.getContextMap(), source.getContextStack(), source.getThreadName(),
            source.getSource(), source.getTimeMillis());
        
        return output;
    }
    
}