Omit sensitive data from PUSH_REPLY log

Namely auth-token.
2018-09-02 12:33:47 +02:00 · 2018-09-02 12:33:47 +02:00 · 3543f7aab3
parent 7df229c115
commit 3543f7aab3
2 changed files with 26 additions and 4 deletions
--- a/TunnelKit/Sources/Core/SessionProxy+PushReply.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+PushReply.swift
@ -161,7 +161,7 @@ extension SessionProxy {

    // XXX: parsing is very optimistic
    
-    struct PushReply: SessionReply {
+    struct PushReply: SessionReply, CustomStringConvertible {
        private enum Topology: String {
            case net30
            
@ -170,6 +170,8 @@ extension SessionProxy {
            case subnet
        }
        
+        private static let prefix = "PUSH_REPLY,"
+        
        private static let topologyRegexp = try! NSRegularExpression(pattern: "topology (net30|p2p|subnet)", options: [])
        
        private static let ifconfigRegexp = try! NSRegularExpression(pattern: "ifconfig [\\d\\.]+ [\\d\\.]+", options: [])
@ -189,6 +191,8 @@ extension SessionProxy {
        private static let peerIdRegexp = try! NSRegularExpression(pattern: "peer-id [0-9]+", options: [])

        private static let cipherRegexp = try! NSRegularExpression(pattern: "cipher [^\\s]+", options: [])
+        
+        private let original: String

        let ipv4: IPv4Settings?
        
@ -203,10 +207,12 @@ extension SessionProxy {
        let cipher: SessionProxy.Cipher?
        
        init?(message: String) throws {
-            guard message.hasPrefix("PUSH_REPLY") else {
+            guard message.hasPrefix(PushReply.prefix) else {
                return nil
            }
-            
+            let prefixOffset = message.index(message.startIndex, offsetBy: PushReply.prefix.count)
+            original = String(message[prefixOffset..<message.endIndex])
+
            var optTopologyArguments: [String]?
            var optIfconfig4Arguments: [String]?
            var optGateway4Arguments: [String]?
@ -380,6 +386,19 @@ extension SessionProxy {
            self.peerId = peerId
            self.cipher = cipher
        }
+        
+        // MARK: CustomStringConvertible
+        
+        var description: String {
+            let stripped = NSMutableString(string: original)
+            PushReply.authTokenRegexp.replaceMatches(
+                in: stripped,
+                options: [],
+                range: NSMakeRange(0, stripped.length),
+                withTemplate: "auth-token"
+            )
+            return stripped as String
+        }
    }
 }

--- a/TunnelKit/Sources/Core/SessionProxy.swift
+++ b/TunnelKit/Sources/Core/SessionProxy.swift
@ -875,7 +875,9 @@ public class SessionProxy {
            return
        }

-        log.debug("Received control message: \"\(message)\"")
+        if CoreConfiguration.logsSensitiveData {
+            log.debug("Received control message: \"\(message)\"")
+        }
        
        let reply: PushReply
        do {
@ -883,6 +885,7 @@ public class SessionProxy {
                return
            }
            reply = optionalReply
+            log.debug("Received PUSH_REPLY: \"\(reply)\"")
        } catch let e {
            deferStop(.shutdown, e)
            return