Hide password in exception messages of SocksAuthRequest

Related: netty#3504 Motivation: There are two places in the SocksAuthRequest constructor where an IllegalArgumentException is thrown with a password as part of the exception message. This constitutes mishandling of confidential information, which can compromise user privacy and is flagged as critical by security scanners. Modifications: Mask the password in the exception messages Result: No unexpected password leak
datatonic · Mar 17, 2015 · 1d061bb · 1d061bb
1 parent a97e413
commit 1d061bb
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/codec-socks/src/main/java/io/netty/handler/codec/socks/SocksAuthRequest.java b/codec-socks/src/main/java/io/netty/handler/codec/socks/SocksAuthRequest.java
@@ -41,14 +41,14 @@ public SocksAuthRequest(String username, String password) {
             throw new NullPointerException("username");
         }
         if (!asciiEncoder.canEncode(username) || !asciiEncoder.canEncode(password)) {
-            throw new IllegalArgumentException(" username: " + username + " or password: " + password +
-                    " values should be in pure ascii");
+            throw new IllegalArgumentException(
+                    "username: " + username + " or password: **** values should be in pure ascii");
         }
         if (username.length() > 255) {
-            throw new IllegalArgumentException(username + " exceeds 255 char limit");
+            throw new IllegalArgumentException("username: " + username + " exceeds 255 char limit");
         }
         if (password.length() > 255) {
-            throw new IllegalArgumentException(password + " exceeds 255 char limit");
+            throw new IllegalArgumentException("password: **** exceeds 255 char limit");
         }
         this.username = username;
         this.password = password;