fix: redacts IPMI password in logs (#9997)

2021-10-26 11:03:41 -06:00 · 2021-10-26 11:03:41 -06:00 · 38aefd99b5
parent b5ee27212e
commit 38aefd99b5
2 changed files with 60 additions and 2 deletions
--- a/plugins/inputs/ipmi_sensor/ipmi.go
+++ b/plugins/inputs/ipmi_sensor/ipmi.go
@ -151,7 +151,7 @@ func (m *Ipmi) parse(acc telegraf.Accumulator, server string) error {
 			cmd := execCommand(name, dumpOpts...)
 			out, err := internal.CombinedOutputTimeout(cmd, time.Duration(m.Timeout))
 			if err != nil {
-				return fmt.Errorf("failed to run command %s: %s - %s", strings.Join(cmd.Args, " "), err, string(out))
+				return fmt.Errorf("failed to run command %s: %s - %s", strings.Join(sanitizeIPMICmd(cmd.Args), " "), err, string(out))
 			}
 		}
 		opts = append(opts, "-S")
@ -170,7 +170,7 @@ func (m *Ipmi) parse(acc telegraf.Accumulator, server string) error {
 	out, err := internal.CombinedOutputTimeout(cmd, time.Duration(m.Timeout))
 	timestamp := time.Now()
 	if err != nil {
-		return fmt.Errorf("failed to run command %s: %s - %s", strings.Join(cmd.Args, " "), err, string(out))
+		return fmt.Errorf("failed to run command %s: %s - %s", strings.Join(sanitizeIPMICmd(cmd.Args), " "), err, string(out))
 	}
 	if m.MetricVersion == 2 {
 		return m.parseV2(acc, hostname, out, timestamp)
@ -315,6 +315,16 @@ func aToFloat(val string) (float64, error) {
 	return f, nil
 }

+func sanitizeIPMICmd(args []string) []string {
+	for i, v := range args {
+		if v == "-P" {
+			args[i+1] = "REDACTED"
+		}
+	}
+
+	return args
+}
+
 func trim(s string) string {
 	return strings.TrimSpace(s)
 }
--- a/plugins/inputs/ipmi_sensor/ipmi_test.go
+++ b/plugins/inputs/ipmi_sensor/ipmi_test.go
@ -779,3 +779,51 @@ func Test_parseV2(t *testing.T) {
 		})
 	}
 }
+
+func TestSanitizeIPMICmd(t *testing.T) {
+	tests := []struct {
+		name     string
+		args     []string
+		expected []string
+	}{
+		{
+			name: "default args",
+			args: []string{
+				"-H", "localhost",
+				"-U", "username",
+				"-P", "password",
+				"-I", "lan",
+			},
+			expected: []string{
+				"-H", "localhost",
+				"-U", "username",
+				"-P", "REDACTED",
+				"-I", "lan",
+			},
+		},
+		{
+			name: "no password",
+			args: []string{
+				"-H", "localhost",
+				"-U", "username",
+				"-I", "lan",
+			},
+			expected: []string{
+				"-H", "localhost",
+				"-U", "username",
+				"-I", "lan",
+			},
+		},
+		{
+			name:     "empty args",
+			args:     []string{},
+			expected: []string{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var sanitizedArgs []string = sanitizeIPMICmd(tt.args)
+			require.Equal(t, tt.expected, sanitizedArgs)
+		})
+	}
+}