1 год назад · d4de8f0abb
--- a/apps/emqx_utils/src/emqx_utils_redact.erl
+++ b/apps/emqx_utils/src/emqx_utils_redact.erl
@@ -155,13 +155,18 @@ redact_v(V) when is_binary(V) ->
 
				         [{var, _}] ->
			
 
				             V;
			
 
				         _ ->
			
 
				-            <<?REDACT_VAL>>
			
 
				+            do_redact_v(V)
			
 
				     end;
			
 
				 redact_v([{str, Bin}]) when is_binary(Bin) ->
			
 
				     %% The HOCON schema system may generate sensitive values with this format
			
 
				-    [{str, <<?REDACT_VAL>>}];
			
 
				-redact_v(_V) ->
			
 
				-    ?REDACT_VAL.
			
 
				+    [{str, do_redact_v(Bin)}];
			
 
				+redact_v(V) ->
			
 
				+    do_redact_v(V).
			
 
				+
			
 
				+do_redact_v(<<"file://", _/binary>> = V) -> V;
			
 
				+do_redact_v("file://" ++ _ = V) -> V;
			
 
				+do_redact_v(B) when is_binary(B) -> <<?REDACT_VAL>>;
			
 
				+do_redact_v(_) -> ?REDACT_VAL.
			
 
				 
			
 
				 deobfuscate(NewConf, OldConf) ->
			
 
				     deobfuscate(NewConf, OldConf, fun(_) -> false end).
			
--- a/apps/emqx_utils/test/emqx_utils_redact_tests.erl
+++ b/apps/emqx_utils/test/emqx_utils_redact_tests.erl
@@ -45,6 +45,33 @@ no_redact_template_var_test() ->
 
				         })
			
 
				     ).
			
 
				 
			
 
				+no_redact_file_paths_test() ->
			
 
				+    ?assertEqual(
			
 
				+        #{
			
 
				+            password => <<"file:///abs/path/a">>,
			
 
				+            <<"secret">> => <<"file://relative/path/b">>,
			
 
				+            account_key => "file://string/path/x",
			
 
				+            private_key => "file://string/path/y"
			
 
				+        },
			
 
				+        redact(#{
			
 
				+            password => <<"file:///abs/path/a">>,
			
 
				+            <<"secret">> => <<"file://relative/path/b">>,
			
 
				+            account_key => "file://string/path/x",
			
 
				+            private_key => "file://string/path/y"
			
 
				+        })
			
 
				+    ).
			
 
				+
			
 
				+deobfuscate_file_path_secrets_test_() ->
			
 
				+    Original1 = #{foo => #{bar => #{headers => #{"authorization" => "file://a"}}}},
			
 
				+    Original2 = #{foo => #{bar => #{headers => #{"authorization" => "a"}}}},
			
 
				+    Redacted2 = #{foo => #{bar => #{headers => #{"authorization" => "******"}}}},
			
 
				+    [
			
 
				+        ?_assertEqual(Original1, redact(Original1)),
			
 
				+        ?_assertEqual(Original1, emqx_utils_redact:deobfuscate(Original1, Original1)),
			
 
				+        ?_assertEqual(Redacted2, redact(Original2)),
			
 
				+        ?_assertEqual(Original2, emqx_utils_redact:deobfuscate(Redacted2, Original2))
			
 
				+    ].
			
 
				+
			
 
				 redact(X) -> emqx_utils:redact(X).
			
 
				 
			
 
				 is_redacted(Key, Value) ->
			
--- a/changes/ce/fix-14267.en.md
+++ b/changes/ce/fix-14267.en.md
@@ -0,0 +1 @@
 
				+Do not redact secrets in logs and HTTP responses when the secret string is a file path (`file:///path/to/the/secret`).
		`@@ -0,0 +1 @@`
		+Do not redact secrets in logs and HTTP responses when the secret string is a file path (`file:///path/to/the/secret`).