Skip to content

Commit 5651317

Browse files
cristinamanumcristinamanum
authored
Obfuscate secret tokens in logging (#6399)
Issue 1670 fix - obfuscate secret tokens.
1 parent ddc0512 commit 5651317

6 files changed

Lines changed: 221 additions & 56 deletions

File tree

src/NuGetGallery/App_Start/Routes.cs

Lines changed: 73 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -149,25 +149,37 @@ public static void RegisterUIRoutes(RouteCollection routes)
149149
"packages/{id}/required-signer/{username}",
150150
new { controller = "Packages", action = RouteName.SetRequiredSigner, username = UrlParameter.Optional },
151151
constraints: new { httpMethod = new HttpMethodConstraint("POST") },
152-
obfuscationMetadata: new RouteExtensions.ObfuscatedMetadata(3, Obfuscator.DefaultTelemetryUserName) );
152+
obfuscationMetadata: new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryUserName) );
153153

154154
routes.MapRoute(
155155
RouteName.PackageOwnerConfirmation,
156156
"packages/{id}/owners/{username}/confirm/{token}",
157157
new { controller = "Packages", action = "ConfirmPendingOwnershipRequest" },
158-
new RouteExtensions.ObfuscatedMetadata(3, Obfuscator.DefaultTelemetryUserName));
158+
new[]
159+
{
160+
new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryUserName),
161+
new RouteExtensions.ObfuscatedPathMetadata(5, Obfuscator.DefaultTelemetryToken)
162+
});
159163

160164
routes.MapRoute(
161165
RouteName.PackageOwnerRejection,
162166
"packages/{id}/owners/{username}/reject/{token}",
163167
new { controller = "Packages", action = "RejectPendingOwnershipRequest" },
164-
new RouteExtensions.ObfuscatedMetadata(3, Obfuscator.DefaultTelemetryUserName));
168+
new[]
169+
{
170+
new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryUserName),
171+
new RouteExtensions.ObfuscatedPathMetadata(5, Obfuscator.DefaultTelemetryToken)
172+
});
165173

166174
routes.MapRoute(
167175
RouteName.PackageOwnerCancellation,
168176
"packages/{id}/owners/{username}/cancel/{token}",
169177
new { controller = "Packages", action = "CancelPendingOwnershipRequest" },
170-
new RouteExtensions.ObfuscatedMetadata(3, Obfuscator.DefaultTelemetryUserName));
178+
new[]
179+
{
180+
new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryUserName),
181+
new RouteExtensions.ObfuscatedPathMetadata(5, Obfuscator.DefaultTelemetryToken)
182+
});
171183

172184
// We need the following two routes (rather than just one) due to Routing's
173185
// Consecutive Optional Parameter bug. :(
@@ -264,7 +276,7 @@ public static void RegisterUIRoutes(RouteCollection routes)
264276
RouteName.Profile,
265277
"profiles/{username}",
266278
new { controller = "Users", action = "Profiles" },
267-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
279+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
268280

269281
routes.MapRoute(
270282
RouteName.GetUserCertificate,
@@ -304,19 +316,31 @@ public static void RegisterUIRoutes(RouteCollection routes)
304316
RouteName.PasswordReset,
305317
"account/forgotpassword/{username}/{token}",
306318
new { controller = "Users", action = "ResetPassword", forgot = true },
307-
new RouteExtensions.ObfuscatedMetadata(2, Obfuscator.DefaultTelemetryUserName));
319+
new[]
320+
{
321+
new RouteExtensions.ObfuscatedPathMetadata(2, Obfuscator.DefaultTelemetryUserName),
322+
new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryToken)
323+
});
308324

309325
routes.MapRoute(
310326
RouteName.PasswordSet,
311327
"account/setpassword/{username}/{token}",
312328
new { controller = "Users", action = "ResetPassword", forgot = false },
313-
new RouteExtensions.ObfuscatedMetadata(2, Obfuscator.DefaultTelemetryUserName));
329+
new[]
330+
{
331+
new RouteExtensions.ObfuscatedPathMetadata(2, Obfuscator.DefaultTelemetryUserName),
332+
new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryToken)
333+
});
314334

315335
routes.MapRoute(
316336
RouteName.ConfirmAccount,
317337
"account/confirm/{accountName}/{token}",
318338
new { controller = "Users", action = "Confirm" },
319-
new RouteExtensions.ObfuscatedMetadata(2, Obfuscator.DefaultTelemetryUserName));
339+
new[]
340+
{
341+
new RouteExtensions.ObfuscatedPathMetadata(2, Obfuscator.DefaultTelemetryUserName),
342+
new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryToken)
343+
});
320344

321345
routes.MapRoute(
322346
RouteName.ChangeEmailSubscription,
@@ -332,7 +356,7 @@ public static void RegisterUIRoutes(RouteCollection routes)
332356
RouteName.AdminDeleteAccount,
333357
"account/delete/{accountName}",
334358
new { controller = "Users", action = "Delete" },
335-
new RouteExtensions.ObfuscatedMetadata(2, Obfuscator.DefaultTelemetryUserName));
359+
new RouteExtensions.ObfuscatedPathMetadata(2, Obfuscator.DefaultTelemetryUserName));
336360

337361
routes.MapRoute(
338362
RouteName.UserDeleteAccount,
@@ -348,18 +372,27 @@ public static void RegisterUIRoutes(RouteCollection routes)
348372
RouteName.TransformToOrganizationConfirmation,
349373
"account/transform/confirm/{accountNameToTransform}/{token}",
350374
new { controller = "Users", action = RouteName.TransformToOrganizationConfirmation },
351-
new RouteExtensions.ObfuscatedMetadata(3, Obfuscator.DefaultTelemetryUserName));
375+
new[]
376+
{
377+
new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryUserName),
378+
new RouteExtensions.ObfuscatedPathMetadata(4, Obfuscator.DefaultTelemetryToken)
379+
});
352380

353381
routes.MapRoute(
354382
RouteName.TransformToOrganizationRejection,
355383
"account/transform/reject/{accountNameToTransform}/{token}",
356384
new { controller = "Users", action = RouteName.TransformToOrganizationRejection },
357-
new RouteExtensions.ObfuscatedMetadata(3, Obfuscator.DefaultTelemetryUserName));
385+
new[]
386+
{
387+
new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryUserName),
388+
new RouteExtensions.ObfuscatedPathMetadata(4, Obfuscator.DefaultTelemetryToken)
389+
});
358390

359391
routes.MapRoute(
360392
RouteName.TransformToOrganizationCancellation,
361393
"account/transform/cancel/{token}",
362-
new { controller = "Users", action = RouteName.TransformToOrganizationCancellation });
394+
new { controller = "Users", action = RouteName.TransformToOrganizationCancellation },
395+
new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryToken));
363396

364397
routes.MapRoute(
365398
RouteName.ApiKeys,
@@ -381,116 +414,124 @@ public static void RegisterUIRoutes(RouteCollection routes)
381414
"organization/{accountName}/certificates/{thumbprint}",
382415
new { controller = "Organizations", action = "GetCertificate" },
383416
constraints: new { httpMethod = new HttpMethodConstraint("GET") },
384-
obfuscationMetadata: new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
417+
obfuscationMetadata: new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
385418

386419
routes.MapRoute(
387420
RouteName.DeleteOrganizationCertificate,
388421
"organization/{accountName}/certificates/{thumbprint}",
389422
new { controller = "Organizations", action = "DeleteCertificate" },
390423
constraints: new { httpMethod = new HttpMethodConstraint("DELETE") },
391-
obfuscationMetadata: new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
424+
obfuscationMetadata: new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
392425

393426
routes.MapRoute(
394427
RouteName.GetOrganizationCertificates,
395428
"organization/{accountName}/certificates",
396429
new { controller = "Organizations", action = "GetCertificates" },
397430
constraints: new { httpMethod = new HttpMethodConstraint("GET") },
398-
obfuscationMetadata: new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
431+
obfuscationMetadata: new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
399432

400433
routes.MapRoute(
401434
RouteName.AddOrganizationCertificate,
402435
"organization/{accountName}/certificates",
403436
new { controller = "Organizations", action = "AddCertificate" },
404437
constraints: new { httpMethod = new HttpMethodConstraint("POST") },
405-
obfuscationMetadata: new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
438+
obfuscationMetadata: new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
406439

407440
routes.MapRoute(
408441
RouteName.OrganizationMemberAddAjax,
409442
"organization/{accountName}/members/add",
410443
new { controller = "Organizations", action = RouteName.OrganizationMemberAddAjax },
411-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
444+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
412445

413446
routes.MapRoute(
414447
RouteName.OrganizationMemberAdd,
415448
"organization/{accountName}/members/add/{memberName}/{isAdmin}",
416449
new { controller = "Organizations", action = RouteName.OrganizationMemberAddAjax },
417450
new[]
418451
{
419-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName),
420-
new RouteExtensions.ObfuscatedMetadata(4, Obfuscator.DefaultTelemetryUserName)
452+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName),
453+
new RouteExtensions.ObfuscatedPathMetadata(4, Obfuscator.DefaultTelemetryUserName)
421454
});
422455

423456
routes.MapRoute(
424457
RouteName.OrganizationMemberConfirm,
425458
"organization/{accountName}/members/confirm/{confirmationToken}",
426459
new { controller = "Organizations", action = RouteName.OrganizationMemberConfirm },
427-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
460+
new[]
461+
{
462+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName),
463+
new RouteExtensions.ObfuscatedPathMetadata(4, Obfuscator.DefaultTelemetryToken)
464+
});
428465

429466
routes.MapRoute(
430467
RouteName.OrganizationMemberReject,
431468
"organization/{accountName}/members/reject/{confirmationToken}",
432469
new { controller = "Organizations", action = RouteName.OrganizationMemberReject },
433-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
470+
new[]
471+
{
472+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName),
473+
new RouteExtensions.ObfuscatedPathMetadata(4, Obfuscator.DefaultTelemetryToken)
474+
});
434475

435476
routes.MapRoute(
436477
RouteName.OrganizationMemberCancelAjax,
437478
"organization/{accountName}/members/cancel",
438479
new { controller = "Organizations", action = RouteName.OrganizationMemberCancelAjax },
439-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
480+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
440481

441482
routes.MapRoute(
442483
RouteName.OrganizationMemberCancel,
443484
"organization/{accountName}/members/cancel/{memberName}",
444485
new { controller = "Organizations", action = RouteName.OrganizationMemberCancelAjax },
445486
new[]
446487
{
447-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName),
448-
new RouteExtensions.ObfuscatedMetadata(4, Obfuscator.DefaultTelemetryUserName)
488+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName),
489+
new RouteExtensions.ObfuscatedPathMetadata(4, Obfuscator.DefaultTelemetryUserName)
449490
});
450491

451492
routes.MapRoute(
452493
RouteName.OrganizationMemberUpdateAjax,
453494
"organization/{accountName}/members/update",
454495
new { controller = "Organizations", action = RouteName.OrganizationMemberUpdateAjax },
455-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
496+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
456497

457498
routes.MapRoute(
458499
RouteName.OrganizationMemberUpdate,
459500
"organization/{accountName}/members/update/{memberName}/{isAdmin}",
460501
new { controller = "Organizations", action = RouteName.OrganizationMemberUpdateAjax },
461502
new[]
462503
{
463-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName),
464-
new RouteExtensions.ObfuscatedMetadata(4, Obfuscator.DefaultTelemetryUserName)
504+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName),
505+
new RouteExtensions.ObfuscatedPathMetadata(4, Obfuscator.DefaultTelemetryUserName)
465506
});
466507

467508
routes.MapRoute(
468509
RouteName.OrganizationMemberDeleteAjax,
469510
"organization/{accountName}/members/delete",
470511
new { controller = "Organizations", action = RouteName.OrganizationMemberDeleteAjax },
471-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
512+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
472513

473514
routes.MapRoute(
474515
RouteName.OrganizationMemberDelete,
475516
"organization/{accountName}/members/delete/{memberName}",
476517
new { controller = "Organizations", action = RouteName.OrganizationMemberDeleteAjax },
477518
new[]
478519
{
479-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName),
480-
new RouteExtensions.ObfuscatedMetadata(4, Obfuscator.DefaultTelemetryUserName)
520+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName),
521+
new RouteExtensions.ObfuscatedPathMetadata(4, Obfuscator.DefaultTelemetryUserName)
481522
});
482523

483524
routes.MapRoute(
484525
RouteName.OrganizationAccount,
485526
"organization/{accountName}/{action}",
486527
new { controller = "Organizations", action = "ManageOrganization" },
487-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
528+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
488529

489530
routes.MapRoute(
490531
RouteName.ChangeOrganizationEmailSubscription,
491532
"organization/{accountName}/subscription/change",
492533
new { controller = "Organizations", action = "ChangeEmailSubscription" },
493-
new RouteExtensions.ObfuscatedMetadata(1, Obfuscator.DefaultTelemetryUserName));
534+
new RouteExtensions.ObfuscatedPathMetadata(1, Obfuscator.DefaultTelemetryUserName));
494535

495536
routes.MapRoute(
496537
RouteName.CuratedFeed,

0 commit comments

Comments
 (0)