Credentials obfuscation from multiple files

Resolves: RHEL-58096

Signed-off-by: Jan Jansky <jjansky@redhat.com>

sos-obfuscate-environment.patch

@@ -0,0 +1,146 @@
+From 60356d6b1096407ed9cd71cf519ac2a381bedee4 Mon Sep 17 00:00:00 2001
+From: Pavel Moravec <pmoravec@redhat.com>
+Date: Fri, 27 Sep 2024 08:30:06 +0200
+Subject: [PATCH 1/1] [plugins] Obfuscate http URL credentials
+
+HTTP_PROXY or similar env.variables can contain credentials we must
+scrub. The variables or directly credentials of a http(s) URL can be
+specified in several places the commit deals with.
+
+Futher, update apt plugin to use the new do_paths_httpp_sub method.
+
+Resolves: #3789
+
+Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
+---
+ sos/report/plugins/__init__.py | 15 +++++++++++++++
+ sos/report/plugins/anaconda.py |  9 +++++----
+ sos/report/plugins/apt.py      | 12 ++----------
+ sos/report/plugins/system.py   |  6 ++++++
+ sos/report/plugins/systemd.py  |  7 +++++++
+ 5 files changed, 35 insertions(+), 14 deletions(-)
+
+diff --git a/sos/report/plugins/__init__.py b/sos/report/plugins/__init__.py
+index f88f0c0d..9b54c68a 100644
+--- a/sos/report/plugins/__init__.py
++++ b/sos/report/plugins/__init__.py
+@@ -1313,6 +1313,21 @@ class Plugin():
+             replacements = 0
+         return replacements
+ 
++    def do_paths_http_sub(self, pathspecs):
++        """ Obfuscate credentials in *_PROXY variables in all files in the
++        given list. Proxy setting without protocol is ignored, since that
++        is not recommended setting and obfuscating that one can hit false
++        positives.
++
++        :param pathspecs: A filepath to obfuscate credentials in
++        :type pathspecs: ``str`` or a ``list`` of strings
++        """
++        if isinstance(pathspecs, str):
++            pathspecs = [pathspecs]
++        for path in pathspecs:
++            self.do_path_regex_sub(
++                path, r"(http(s)?://)\S+:\S+(@.*)", r"\1******:******\3")
++
+     def do_path_regex_sub(self, pathexp, regexp, subst):
+         """Apply a regexp substituation to a set of files archived by
+         sos. The set of files to be substituted is generated by matching
+diff --git a/sos/report/plugins/anaconda.py b/sos/report/plugins/anaconda.py
+index 78577d3f..77f54d65 100644
+--- a/sos/report/plugins/anaconda.py
++++ b/sos/report/plugins/anaconda.py
+@@ -24,21 +24,21 @@ class Anaconda(Plugin, RedHatPlugin):
+ 
+     def setup(self):
+ 
+-        paths = [
++        self.copypaths = [
+             "/root/anaconda-ks.cfg"
+         ]
+ 
+         if self.path_isdir('/var/log/anaconda'):
+             # new anaconda
+-            paths.append('/var/log/anaconda')
++            self.copypaths.append('/var/log/anaconda')
+         else:
+-            paths = paths + [
++            self.copypaths = self.copypaths + [
+                 "/var/log/anaconda.*",
+                 "/root/install.log",
+                 "/root/install.log.syslog"
+             ]
+ 
+-        self.add_copy_spec(paths)
++        self.add_copy_spec(self.copypaths)
+ 
+     def postproc(self):
+         self.do_file_sub(
+@@ -51,5 +51,6 @@ class Anaconda(Plugin, RedHatPlugin):
+             r"(user.*--password=*\s*)\s*(\S*)",
+             r"\1********"
+         )
++        self.do_paths_http_sub(self.copypaths)
+ 
+ # vim: set et ts=4 sw=4 :
+diff --git a/sos/report/plugins/apt.py b/sos/report/plugins/apt.py
+index 857a11b6..464cfb98 100644
+--- a/sos/report/plugins/apt.py
++++ b/sos/report/plugins/apt.py
+@@ -48,19 +48,11 @@ class Apt(Plugin, DebianPlugin, UbuntuPlugin):
+     def postproc(self):
+         super().postproc()
+ 
+-        common_regex = r"(http(s)?://)\S+:\S+(@.*)"
+-        common_replace = r"\1******:******\3"
+-
+-        files_to_sub = [
++        self.do_paths_http_sub([
+             "/etc/apt/sources.list",
+             "/etc/apt/sources.list.d/",
+             "/etc/apt/apt.conf",
+             "/etc/apt/apt.conf.d/",
+-        ]
+-
+-        for file in files_to_sub:
+-            self.do_path_regex_sub(
+-                file, common_regex, common_replace
+-            )
++        ])
+ 
+ # vim: set et ts=4 sw=4 :
+diff --git a/sos/report/plugins/system.py b/sos/report/plugins/system.py
+index cc282dc1..fcba1161 100644
+--- a/sos/report/plugins/system.py
++++ b/sos/report/plugins/system.py
+@@ -40,5 +40,11 @@ class System(Plugin, IndependentPlugin):
+             "ld.so --list-tunables"
+         ])
+ 
++    def postproc(self):
++        self.do_paths_http_sub([
++            "/etc/sysconfig",
++            "/etc/default",
++            "/etc/environment",
++        ])
+ 
+ # vim: set et ts=4 sw=4 :
+diff --git a/sos/report/plugins/systemd.py b/sos/report/plugins/systemd.py
+index a50a155e..b23b32fe 100644
+--- a/sos/report/plugins/systemd.py
++++ b/sos/report/plugins/systemd.py
+@@ -95,4 +95,11 @@ class Systemd(Plugin, IndependentPlugin):
+         ])
+         self.add_forbidden_path('/dev/null')
+ 
++    def postproc(self):
++        self.do_paths_http_sub([
++            "/etc/systemd/system",
++            "/lib/systemd/system",
++            "/run/systemd/system",
++        ])
++
+ # vim: set et ts=4 sw=4 :
+-- 
+2.43.5
+

sos.spec

@@ -5,7 +5,7 @@
 Summary: A set of tools to gather troubleshooting information from a system
 Name: sos
 Version: 4.8.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Applications/System
 Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
 Source1: sos-audit-%{auditversion}.tgz
@@ -24,6 +24,7 @@ Conflicts: vdsm < 4.40
 Obsoletes: sos-collector <= 1.9
 Patch0: sos-Revert-changed-formatting.patch
 Patch1: sos-RHEL-22732-Fix-check_file_too_big.patch
+Patch2: sos-obfuscate-environment.patch
 
 %description
 Sos is a set of tools that gathers information about system
@@ -36,6 +37,7 @@ support technicians and developers.
 %setup -T -D -a1 -q
 %patch -P 0 -p1
 %patch -P 1 -p1
+%patch -P 2 -p1
 
 %build
 %py3_build
@@ -108,6 +110,10 @@ of the system.  Currently storage and filesystem commands are audited.
 
 
 %changelog
+* Fri Sep 27 2024 Jan Jansky <jjansky@redhat.com> = 4.8.0-4
+- Added credentials obfuscation from multiple files
+  Resolves: RHEL-58096
+
 * Wed Sep 25 2024 Jan Jansky <jjansky@redhat.com> = 4.8.0-3
 - Update 4.8.0
   Resolves: RHEL-58096