From 100071dc8bf68097a970041ac6dc2a5b4017ae3d Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Thu, 26 Sep 2024 19:17:36 +0200
Subject: [PATCH] [plugins] Obfuscate *_PROXY credentials

HTTP_PROXY or similar env.variables can contain credentials we must
scrub. The variables or directly credentials can be specified in a few
places the commit deals with.

Resolves: #3789

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
 sos/report/plugins/__init__.py | 15 +++++++++++++++
 sos/report/plugins/anaconda.py |  9 +++++----
 sos/report/plugins/system.py   |  6 ++++++
 sos/report/plugins/systemd.py  |  7 +++++++
 4 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/sos/report/plugins/__init__.py b/sos/report/plugins/__init__.py
index f88f0c0d26..0707b43fc3 100644
--- a/sos/report/plugins/__init__.py
+++ b/sos/report/plugins/__init__.py
@@ -1313,6 +1313,21 @@ def do_file_sub(self, srcpath, regexp, subst):
             replacements = 0
         return replacements
 
+    def do_paths_httpproxy_sub(self, pathspecs):
+        """ Obfuscate credentials in *_PROXY variables in all files in the
+        given list. Proxy setting without protocol is ignored, since that
+        is not recommended setting and obfuscating that one can hit false
+        positives.
+
+        :param pathspecs: A filepath to obfuscate credentials in
+        :type pathspecs: ``str`` or a ``list`` of strings
+        """
+        if isinstance(pathspecs, str):
+            pathspecs = [pathspecs]
+        for path in pathspecs:
+            self.do_path_regex_sub(
+                path, r"(http(s)?://)\S+:\S+(@.*)", r"\1******:******\3")
+
     def do_path_regex_sub(self, pathexp, regexp, subst):
         """Apply a regexp substituation to a set of files archived by
         sos. The set of files to be substituted is generated by matching
diff --git a/sos/report/plugins/anaconda.py b/sos/report/plugins/anaconda.py
index 78577d3f7e..d6e0f8397d 100644
--- a/sos/report/plugins/anaconda.py
+++ b/sos/report/plugins/anaconda.py
@@ -24,21 +24,21 @@ class Anaconda(Plugin, RedHatPlugin):
 
     def setup(self):
 
-        paths = [
+        self.copypaths = [
             "/root/anaconda-ks.cfg"
         ]
 
         if self.path_isdir('/var/log/anaconda'):
             # new anaconda
-            paths.append('/var/log/anaconda')
+            self.copypaths.append('/var/log/anaconda')
         else:
-            paths = paths + [
+            self.copypaths = self.copypaths + [
                 "/var/log/anaconda.*",
                 "/root/install.log",
                 "/root/install.log.syslog"
             ]
 
-        self.add_copy_spec(paths)
+        self.add_copy_spec(self.copypaths)
 
     def postproc(self):
         self.do_file_sub(
@@ -51,5 +51,6 @@ def postproc(self):
             r"(user.*--password=*\s*)\s*(\S*)",
             r"\1********"
         )
+        self.do_paths_httpproxy_sub(self.copypaths)
 
 # vim: set et ts=4 sw=4 :
diff --git a/sos/report/plugins/system.py b/sos/report/plugins/system.py
index cc282dc1bb..161ee937bc 100644
--- a/sos/report/plugins/system.py
+++ b/sos/report/plugins/system.py
@@ -40,5 +40,11 @@ def setup(self):
             "ld.so --list-tunables"
         ])
 
+    def postproc(self):
+        self.do_paths_httpproxy_sub([
+            "/etc/sysconfig",
+            "/etc/default",
+            "/etc/environment",
+        ])
 
 # vim: set et ts=4 sw=4 :
diff --git a/sos/report/plugins/systemd.py b/sos/report/plugins/systemd.py
index a50a155e36..94dae3505f 100644
--- a/sos/report/plugins/systemd.py
+++ b/sos/report/plugins/systemd.py
@@ -95,4 +95,11 @@ def setup(self):
         ])
         self.add_forbidden_path('/dev/null')
 
+    def postproc(self):
+        self.do_paths_httpproxy_sub([
+            "/etc/systemd/system",
+            "/lib/systemd/system",
+            "/run/systemd/system",
+        ])
+
 # vim: set et ts=4 sw=4 :