From 38aefd99b55450a6338c3e843487712110c2f3d2 Mon Sep 17 00:00:00 2001
From: Joshua Powers <powersj@influxdata.com>
Date: Tue, 26 Oct 2021 11:03:41 -0600
Subject: [PATCH] fix: redacts IPMI password in logs (#9997)

---
 plugins/inputs/ipmi_sensor/ipmi.go      | 14 ++++++--
 plugins/inputs/ipmi_sensor/ipmi_test.go | 48 +++++++++++++++++++++++++
 2 files changed, 60 insertions(+), 2 deletions(-)

diff --git a/plugins/inputs/ipmi_sensor/ipmi.go b/plugins/inputs/ipmi_sensor/ipmi.go
index d26e739e9..801188130 100644
--- a/plugins/inputs/ipmi_sensor/ipmi.go
+++ b/plugins/inputs/ipmi_sensor/ipmi.go
@@ -151,7 +151,7 @@ func (m *Ipmi) parse(acc telegraf.Accumulator, server string) error {
 			cmd := execCommand(name, dumpOpts...)
 			out, err := internal.CombinedOutputTimeout(cmd, time.Duration(m.Timeout))
 			if err != nil {
-				return fmt.Errorf("failed to run command %s: %s - %s", strings.Join(cmd.Args, " "), err, string(out))
+				return fmt.Errorf("failed to run command %s: %s - %s", strings.Join(sanitizeIPMICmd(cmd.Args), " "), err, string(out))
 			}
 		}
 		opts = append(opts, "-S")
@@ -170,7 +170,7 @@ func (m *Ipmi) parse(acc telegraf.Accumulator, server string) error {
 	out, err := internal.CombinedOutputTimeout(cmd, time.Duration(m.Timeout))
 	timestamp := time.Now()
 	if err != nil {
-		return fmt.Errorf("failed to run command %s: %s - %s", strings.Join(cmd.Args, " "), err, string(out))
+		return fmt.Errorf("failed to run command %s: %s - %s", strings.Join(sanitizeIPMICmd(cmd.Args), " "), err, string(out))
 	}
 	if m.MetricVersion == 2 {
 		return m.parseV2(acc, hostname, out, timestamp)
@@ -315,6 +315,16 @@ func aToFloat(val string) (float64, error) {
 	return f, nil
 }
 
+func sanitizeIPMICmd(args []string) []string {
+	for i, v := range args {
+		if v == "-P" {
+			args[i+1] = "REDACTED"
+		}
+	}
+
+	return args
+}
+
 func trim(s string) string {
 	return strings.TrimSpace(s)
 }
diff --git a/plugins/inputs/ipmi_sensor/ipmi_test.go b/plugins/inputs/ipmi_sensor/ipmi_test.go
index 4a2910101..504a7467f 100644
--- a/plugins/inputs/ipmi_sensor/ipmi_test.go
+++ b/plugins/inputs/ipmi_sensor/ipmi_test.go
@@ -779,3 +779,51 @@ func Test_parseV2(t *testing.T) {
 		})
 	}
 }
+
+func TestSanitizeIPMICmd(t *testing.T) {
+	tests := []struct {
+		name     string
+		args     []string
+		expected []string
+	}{
+		{
+			name: "default args",
+			args: []string{
+				"-H", "localhost",
+				"-U", "username",
+				"-P", "password",
+				"-I", "lan",
+			},
+			expected: []string{
+				"-H", "localhost",
+				"-U", "username",
+				"-P", "REDACTED",
+				"-I", "lan",
+			},
+		},
+		{
+			name: "no password",
+			args: []string{
+				"-H", "localhost",
+				"-U", "username",
+				"-I", "lan",
+			},
+			expected: []string{
+				"-H", "localhost",
+				"-U", "username",
+				"-I", "lan",
+			},
+		},
+		{
+			name:     "empty args",
+			args:     []string{},
+			expected: []string{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var sanitizedArgs []string = sanitizeIPMICmd(tt.args)
+			require.Equal(t, tt.expected, sanitizedArgs)
+		})
+	}
+}