Hide password in exception messages of SocksAuthRequest

Related: #3504 Motivation: There are two places in the SocksAuthRequest constructor where an IllegalArgumentException is thrown with a password as part of the exception message. This constitutes mishandling of confidential information, which can compromise user privacy and is flagged as critical by security scanners. Modifications: Mask the password in the exception messages Result: No unexpected password leak
2015-03-17 17:23:30 +09:00 · 2015-03-17 17:23:30 +09:00 · 9091e66e15
commit 9091e66e15
parent 034e0bd8d2
1 changed files with 4 additions and 4 deletions
--- a/codec-socks/src/main/java/io/netty/handler/codec/socks/SocksAuthRequest.java
+++ b/codec-socks/src/main/java/io/netty/handler/codec/socks/SocksAuthRequest.java
@ -41,14 +41,14 @@ public final class SocksAuthRequest extends SocksRequest {
            throw new NullPointerException("username");
        }
        if (!asciiEncoder.canEncode(username) || !asciiEncoder.canEncode(password)) {
-            throw new IllegalArgumentException(" username: " + username + " or password: " + password +
-                    " values should be in pure ascii");
+            throw new IllegalArgumentException(
+                    "username: " + username + " or password: **** values should be in pure ascii");
        }
        if (username.length() > 255) {
-            throw new IllegalArgumentException(username + " exceeds 255 char limit");
+            throw new IllegalArgumentException("username: " + username + " exceeds 255 char limit");
        }
        if (password.length() > 255) {
-            throw new IllegalArgumentException(password + " exceeds 255 char limit");
+            throw new IllegalArgumentException("password: **** exceeds 255 char limit");
        }
        this.username = username;
        this.password = password;