Merge pull request #525 from alex268/fix_log_vulnerability

alex268 · web-flow · commit 97d01a49dcff · 2025-08-11T14:56:11.000+01:00
Hide token &amp; passwords from SDK trace logs
diff --git a/core/src/main/java/tech/ydb/core/impl/call/ReadWriteStreamCall.java b/core/src/main/java/tech/ydb/core/impl/call/ReadWriteStreamCall.java
@@ -22,6 +22,7 @@
 import tech.ydb.core.grpc.GrpcStatuses;
 import tech.ydb.core.grpc.GrpcTransport;
 import tech.ydb.core.impl.auth.AuthCallOptions;
+import tech.ydb.proto.topic.YdbTopic;
 
 /**
  *
@@ -96,8 +97,12 @@ public void sendNext(W message) {
         try {
             if (flush()) {
                 if (logger.isTraceEnabled()) {
-                    String msg = TextFormat.shortDebugString((Message) message);
-                    logger.trace("ReadWriteStreamCall[{}] --> {}", traceId, msg);
+                    if (message instanceof YdbTopic.UpdateTokenRequest) {
+                        logger.trace("ReadWriteStreamCall[{}] --> {}", traceId, "update_token_request { token: XXXX }");
+                    } else {
+                        String msg = TextFormat.shortDebugString((Message) message);
+                        logger.trace("ReadWriteStreamCall[{}] --> {}", traceId, msg);
+                    }
                 }
                 call.sendMessage(message);
             } else {
diff --git a/core/src/main/java/tech/ydb/core/impl/call/UnaryCall.java b/core/src/main/java/tech/ydb/core/impl/call/UnaryCall.java
@@ -18,6 +18,7 @@
 import tech.ydb.core.StatusCode;
 import tech.ydb.core.grpc.GrpcStatuses;
 import tech.ydb.core.grpc.GrpcTransport;
+import tech.ydb.proto.auth.YdbAuth;
 
 /**
  *
@@ -51,7 +52,11 @@ public CompletableFuture<Result<RespT>> startCall(ReqT request, Metadata headers
         try {
             call.start(this, headers);
             if (logger.isTraceEnabled()) {
-                logger.trace("UnaryCall[{}] --> {}", traceId, TextFormat.shortDebugString((Message) request));
+                if (request instanceof YdbAuth.LoginRequest) {
+                    logger.trace("UnaryCall[{}] --> {}", traceId, "LoginRequest user: XXXX password: XXXX");
+                } else {
+                    logger.trace("UnaryCall[{}] --> {}", traceId, TextFormat.shortDebugString((Message) request));
+                }
             }
             call.sendMessage(request);
             call.halfClose();
@@ -71,7 +76,11 @@ public CompletableFuture<Result<RespT>> startCall(ReqT request, Metadata headers
     @Override
     public void onMessage(RespT value) {
         if (logger.isTraceEnabled()) {
-            logger.trace("UnaryCall[{}] <-- {}", traceId, TextFormat.shortDebugString((Message) value));
+            if (value instanceof YdbAuth.LoginResponse) {
+                logger.trace("UnaryCall[{}] <-- {}", traceId, "LoginResponse XXXX");
+            } else {
+                logger.trace("UnaryCall[{}] <-- {}", traceId, TextFormat.shortDebugString((Message) value));
+            }
         }
         if (!this.value.compareAndSet(null, value)) {
             future.complete(Result.fail(MULTIPLY_VALUES));
