fixed Password Exposure in IPMI Tool Command Execution (#12028)

Author: YLChen-007

utils/src/main/java/org/apache/cloudstack/utils/process/ProcessRunner.java

@@ -67,11 +67,13 @@ String removeCommandSensitiveInfoForLogging(String command) {
     public ProcessRunner(ExecutorService executor) {
         this.executor = executor;
         commandLogReplacements.add(new Ternary<>("ipmitool", "-P\\s+\\S+", "-P *****"));
+        commandLogReplacements.add(new Ternary<>("ipmitool", "(?i)password\\s+\\S+\\s+\\S+", "password **** ****"));
     }
 
     /**
      * Executes a process with provided list of commands with a max default timeout
      * of 5 minutes
+     *
      * @param commands list of string commands
      * @return returns process result
      */
@@ -82,6 +84,7 @@ public ProcessResult executeCommands(final List<String> commands) {
     /**
      * Executes a process with provided list of commands with a given timeout that is less
      * than or equal to DEFAULT_MAX_TIMEOUT
+     *
      * @param commands list of string commands
      * @param timeOut timeout duration
      * @return returns process result
@@ -109,14 +112,16 @@ public Integer call() throws Exception {
                 }
             });
             try {
-                logger.debug("Waiting for a response from command [{}]. Defined timeout: [{}].", commandLog, timeOut.getStandardSeconds());
+                logger.debug("Waiting for a response from command [{}]. Defined timeout: [{}].", commandLog,
+                        timeOut.getStandardSeconds());
                 retVal = processFuture.get(timeOut.getStandardSeconds(), TimeUnit.SECONDS);
             } catch (ExecutionException e) {
-                logger.warn("Failed to complete the requested command [{}] due to execution error.", commands, e);
+                logger.warn("Failed to complete the requested command [{}] due to execution error.", commandLog, e);
                 retVal = -2;
                 stdError = e.getMessage();
             } catch (TimeoutException e) {
-                logger.warn("Failed to complete the requested command [{}] within timeout. Defined timeout: [{}].", commandLog, timeOut.getStandardSeconds(), e);
+                logger.warn("Failed to complete the requested command [{}] within timeout. Defined timeout: [{}].",
+                        commandLog, timeOut.getStandardSeconds(), e);
                 retVal = -1;
                 stdError = "Operation timed out, aborted.";
             } finally {

utils/src/test/java/org/apache/cloudstack/utils/process/ProcessRunnerTest.java

@@ -60,4 +60,16 @@ public void testRemoveCommandSensitiveInfoForLoggingIpmi() {
         Assert.assertTrue(log.contains(password));
         Assert.assertEquals(1, countSubstringOccurrences(log, password));
     }
+
+    @Test
+    public void testRemoveCommandSensitiveInfoForLoggingIpmiPasswordCommand() {
+        String userId = "3";
+        String newPassword = "Sup3rSecr3t!";
+        String command = String.format("/usr/bin/ipmitool user set password %s %s", userId, newPassword);
+        String log = processRunner.removeCommandSensitiveInfoForLogging(command);
+
+        Assert.assertFalse(log.contains(userId));
+        Assert.assertFalse(log.contains(newPassword));
+        Assert.assertTrue(log.contains("password **** ****"));
+    }
 }