Merge pull request #5499 from MarcDiamantHitachi/BACKLOG-39521

[BACKLOG-39521] Added if statement to remove username and password be…
pentaho · Jan 19, 2024 · 4761e10 · 4761e10
2 parents 15e5b39 + 247e2b8
commit 4761e10
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/tomcat-logs/src/main/java/org/pentaho/tomcat/logvalve/FilteredAccessLogValve.java b/tomcat-logs/src/main/java/org/pentaho/tomcat/logvalve/FilteredAccessLogValve.java
@@ -14,7 +14,7 @@
  * See the GNU General Public License for more details.
  *
  *
- * Copyright (c) 2022 Hitachi Vantara. All rights reserved.
+ * Copyright (c) 2022-2024 Hitachi Vantara. All rights reserved.
  *
  */
 
@@ -35,10 +35,18 @@ public class FilteredAccessLogValve extends AccessLogValve {
   public void log( CharArrayWriter message ) {
     try ( CharArrayWriter caw = new CharArrayWriter() ) {
       // Mask the user password
-      caw.write( message.toString().replaceAll( "j_password=[^&^ ]*", "j_password=***" ) );
+      String tempString = message.toString();
+      if ( tempString.contains( "/pentaho/api/csrf" ) || tempString.contains( "/pentaho/api/repo/files/backup" ) ) {
+        tempString = tempString.replaceAll( "\\?userid[^&]+%26", "" );
+        tempString = tempString.replaceAll( "\\?userid[^&]+", "" );
+        tempString = tempString.replaceAll( "password[^&]+%26", "" );
+        tempString = tempString.replaceAll( "\\&password[^&]+", "" );
+      }
+      tempString = tempString.replaceAll( "j_password=[^&^ ]*", "j_password=***" );
+      caw.write( tempString );
       super.log( caw );
     } catch ( IOException e ) {
       e.printStackTrace();
     }
   }
-}
+}