fix SECURITY-2128

Author: fengxx

splunk-devops-extend/pom.xml

@@ -27,7 +27,9 @@
             <email>xiao.xj@outlook.com</email>
         </developer>
     </developers>
-
+    <properties>
+        <useBeta>true</useBeta>
+    </properties>
     <dependencies>
         <dependency>
             <groupId>${project.groupId}</groupId>

splunk-devops-extend/src/main/java/com/splunk/splunkjenkins/console/SplunkTaskListenerFactory.java

@@ -12,6 +12,7 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+
 import java.io.IOException;
 import java.util.concurrent.ExecutionException;
 import java.util.logging.Level;
@@ -37,6 +38,14 @@ public SplunkConsoleTaskListenerDecorator load(WorkflowRun key) {
                 }
             });
 
+    @Override
+    /*
+       data stream is passed to splunk decorator first (it sees data in the last due to decorator behavior)
+     */
+    public boolean isAppliedBeforeMainDecorator() {
+        return true;
+    }
+
     @CheckForNull
     @Override
     public TaskListenerDecorator of(@NonNull FlowExecutionOwner flowExecutionOwner) {

splunk-devops-extend/src/test/java/com/splunk/splunkjenkins/SplunkConsoleTaskListenerDecoratorTest.java

@@ -1,6 +1,8 @@
 package com.splunk.splunkjenkins;
 
 import com.splunk.splunkjenkins.console.ConsoleRecordCacheUtils;
+import hudson.console.LineTransformationOutputStream;
+import hudson.model.AbstractBuild;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
@@ -10,8 +12,18 @@
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.BuildWatcher;
+import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.TestExtension;
+import org.kohsuke.stapler.DataBoundConstructor;
+import org.jenkinsci.plugins.workflow.steps.*;
+import hudson.console.ConsoleLogFilter;
 
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.Serializable;
+import java.util.Collections;
+import java.util.Set;
 import java.util.UUID;
 
 import static com.splunk.splunkjenkins.SplunkConfigUtil.checkTokenAvailable;
@@ -25,6 +37,8 @@ public class SplunkConsoleTaskListenerDecoratorTest {
     String id = UUID.randomUUID().toString();
     @Rule
     public JenkinsRule r = new JenkinsRule();
+    private static final String TEST_SECRET = "secret";
+    private static final String TEST_REPLACEMENT = "xxxx";
     private String jobScript = "node{\n" +
             "  parallel first: {sh \"echo SplunkConsoleTaskListenerDecoratorTest\"},\n" +
             "          second: {sh \"echo " + id + "\"}\n" +
@@ -57,4 +71,93 @@ public void testSendConsole() throws Exception {
         verifySplunkSearchResult("source=" + b1.getUrl() + "console " + id, startTime, 2);
         verifySplunkSearchResult("source=" + b1.getUrl() + "console parallel_label=first", startTime, 1);
     }
+
+
+    @Issue("SECURITY-2128")
+    @Test
+    public void testDataFilter() throws Exception {
+        WorkflowJob p = r.jenkins.createProject(WorkflowJob.class, "mask-job");
+        p.setDefinition(new CpsFlowDefinition("withTestMaskFilter {node {echo 'hello" + TEST_SECRET + "'}}", false));
+        long startTime = System.currentTimeMillis();
+        WorkflowRun b1 = r.assertBuildStatusSuccess(p.scheduleBuild2(0));
+        assertFalse(b1.isBuilding());
+        String testStr = "hello" + TEST_REPLACEMENT;
+        r.assertLogContains(testStr, b1);
+        verifySplunkSearchResult("source=" + b1.getUrl() + "console " + testStr, startTime, 1);
+    }
+
+    /**
+     * simply replace secret with xxxx
+     */
+    public static final class FilterStep extends Step {
+        @DataBoundConstructor
+        public FilterStep() {
+        }
+
+        @Override
+        public StepExecution start(StepContext context) throws Exception {
+            return new Execution(context);
+        }
+
+        private static final class Execution extends StepExecution {
+            private static final long serialVersionUID = 1L;
+
+            Execution(StepContext context) {
+                super(context);
+            }
+
+            @Override
+            public boolean start() throws Exception {
+                getContext().newBodyInvoker().withContext(new Filter()).withCallback(BodyExecutionCallback.wrap(getContext())).start();
+                return false;
+            }
+        }
+
+        private static final class Filter extends ConsoleLogFilter implements Serializable {
+            private static final long serialVersionUID = 1L;
+
+            @SuppressWarnings("rawtypes")
+            @Override
+            public OutputStream decorateLogger(AbstractBuild _ignore, OutputStream logger) throws IOException, InterruptedException {
+                return new MaskingOutputStream(logger);
+            }
+        }
+
+        public static class MaskingOutputStream extends LineTransformationOutputStream.Delegating {
+
+
+            protected MaskingOutputStream(OutputStream out) {
+                super(out);
+            }
+
+            @Override
+            protected void eol(byte[] b, int len) throws IOException {
+                if (len < TEST_SECRET.length()) {
+                    out.write(b, 0, len);
+                    return;
+                }
+                String content = new String(b, 0, len, "utf-8");
+                out.write(content.replaceAll(TEST_SECRET, TEST_REPLACEMENT).getBytes());
+            }
+        }
+
+        @TestExtension
+        public static final class DescriptorImpl extends StepDescriptor {
+            @Override
+            public Set<? extends Class<?>> getRequiredContext() {
+                return Collections.emptySet();
+            }
+
+            @Override
+            public String getFunctionName() {
+                return "withTestMaskFilter";
+            }
+
+            @Override
+            public boolean takesImplicitBlockArgument() {
+                return true;
+            }
+        }
+    }
+
 }