Refactor security logger

Customize security logger to avoid logging secret values. * Add a new safe string printer. * Only log the safe params in send(). * Bump codeql[0]. [0]: https://github.blog/changelog/2022-04-27-code-scanning-deprecation-of-codeql-action-v1/ Signed-off-by: SuperQ <superq@gmail.com>
gosnmp · Dec 15, 2022 · f2ab7d6 · f2ab7d6
1 parent 9a70609
commit f2ab7d6
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 5 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -29,15 +29,15 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -51,4 +51,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2
diff --git a/marshal.go b/marshal.go
@@ -437,7 +437,7 @@ func (x *GoSNMP) send(packetOut *SnmpPacket, wait bool) (result *SnmpPacket, err
 	}
 
 	if result.Version == Version3 {
-		x.Logger.Printf("SEND STORE SECURITY PARAMS from result: %+v", result)
+		x.Logger.Printf("SEND STORE SECURITY PARAMS from result: %s", result.SecurityParameters.String())
 		err = x.storeSecurityParameters(result)
 
 		if result.PDUType == Report && len(result.Variables) == 1 {

diff --git a/v3.go b/v3.go
@@ -40,6 +40,7 @@ type SnmpV3SecurityParameters interface {
 	Log()
 	Copy() SnmpV3SecurityParameters
 	Description() string
+	String() string
 	validate(flags SnmpV3MsgFlags) error
 	init(log Logger) error
 	initPacket(packet *SnmpPacket) error

diff --git a/v3_usm.go b/v3_usm.go
@@ -206,11 +206,27 @@ func (sp *UsmSecurityParameters) Description() string {
 	return sb.String()
 }
 
+// String returns a logging safe (no secrets) string of the UsmSecurityParameters
+func (sp *UsmSecurityParameters) String() string {
+	sp.mu.Lock()
+	defer sp.mu.Unlock()
+	return fmt.Sprintf("AuthoritativeEngineID:%s, AuthoritativeEngineBoots:%d, AuthoritativeEngineTimes:%d, UserName:%s, AuthenticationParameters:%s, PrivacyParameters:%v, AuthenticationProtocol:%s, PrivacyProtocol:%s",
+		sp.AuthoritativeEngineID,
+		sp.AuthoritativeEngineBoots,
+		sp.AuthoritativeEngineTime,
+		sp.UserName,
+		sp.AuthenticationParameters,
+		sp.PrivacyParameters,
+		sp.AuthenticationProtocol,
+		sp.PrivacyProtocol,
+	)
+}
+
 // Log logs security paramater information to the provided GoSNMP Logger
 func (sp *UsmSecurityParameters) Log() {
 	sp.mu.Lock()
 	defer sp.mu.Unlock()
-	sp.Logger.Printf("SECURITY PARAMETERS:%+v", sp)
+	sp.Logger.Printf("SECURITY PARAMS: %s", sp.String())
 }
 
 // Copy method for UsmSecurityParameters used to copy a SnmpV3SecurityParameters without knowing it's implementation