org.owasp.security.logging.mask.MaskingConverter Maven / Gradle / Ivy

Go to download
package org.owasp.security.logging.mask;

import org.owasp.security.logging.SecurityMarkers;

import ch.qos.logback.classic.spi.ILoggingEvent;
import ch.qos.logback.core.pattern.ReplacingCompositeConverter;
import org.slf4j.Marker;
import org.slf4j.helpers.MessageFormatter;

/**
 * This converter is used to output a masked version of the formatted message in
 * contexts where the logging of confidential information is undesirable. 
 *
 * It is not possible to replace the actual formatted message, instead this converter
 * returns a masked version of the message that can be accessed using the conversionWord
 * specified in the conversionRule definition in logback.xml. 
 * 
 * @author August Detlefsen [[email protected]]
 * @author Sytze van Koningsveld 
 */
public class MaskingConverter extends
        ReplacingCompositeConverter {

    @Override
    public String convert(ILoggingEvent event) {
        Marker eventMarker = event.getMarker();

        Object[] args = event.getArgumentArray();
        if (eventMarker != null && eventMarker.equals(SecurityMarkers.CONFIDENTIAL)) {            
            for (int i = 0; i < args.length; i++) {
                String arg = args[i].toString();
                arg = arg.replaceAll(".", "*");
                args[i] = arg;
            }
        }
        
        String maskedMessage = MessageFormatter.arrayFormat(event.getMessage(), args).getMessage();

        return maskedMessage;
    }

    /**
     * Override start method because the superclass ReplacingCompositeConverter
     * requires at least two options and this class has none.
     */
    @Override
    public void start() {
        started = true;
    }

}