do not log password in ssh connection output

A longer-term approach may be to refactor Options to be a class insteaad of a simple hash, so that this can be applied across all transports.
inspec · Jun 27, 2016 · b001f58 · b001f58
1 parent 34e46b5
commit b001f58
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/lib/train/transports/ssh_connection.rb b/lib/train/transports/ssh_connection.rb
@@ -216,7 +216,9 @@ def session(retry_options = {})
     #
     # @api private
     def to_s
-      "#{@username}@#{@hostname}<#{@options.inspect}>"
+      options_to_print = @options.clone
+      options_to_print[:password] = "<hidden>" if options_to_print.has_key?(:password)
+      "#{@username}@#{@hostname}<#{options_to_print.inspect}>"
     end
 
     class OS < OSCommon

diff --git a/test/unit/transports/ssh_test.rb b/test/unit/transports/ssh_test.rb
@@ -82,6 +82,15 @@ def detect_family
     end
   end
 
+  describe 'converting connection to string for logging' do
+   it "masks passwords" do
+      assert_output(/.*:password=>"<hidden>".*/) do
+        connection = cls.new(conf).connection
+        puts "#{connection}"
+      end
+    end
+  end
+
   describe 'failed configuration' do
     it 'works with a minimum valid config' do
       cls.new(conf).connection