7

I am trying to replace multiple values in logback logger which logs Cassandra CQL statements and used example from this post: Mask sensitive data in logs with logback

where invocation of %replace function is used:

%replace(  %replace(%msg){'regex1', 'replacement1'}  ){'regex2', 'replacement2'}

In my case I want to replace 3 fields - name, last name and password. Statement used is:

%replace(%replace(%replace(%msg){"first_name='.*'", "first_name='xxxxx'"}){"last_name='.*'", "last_name='yyyyyy'"}){"password='.*'", "password='zzzzzz'"}%n

It seemed to work ok, but I noticed that if order of fields is different, values are removed sometimes. For example,

1) when statement is in this order it is ok:

Executed:

UPDATE usertest.users SET password='secret_pw', last_name='Smith', first_name='John' where user_id = 1745;

Logged:

UPDATE usertest.users SET password=zzzzzz, last_name=yyyyyy, first_name=xxxxx where user_id = 1745;

2) In this case last name is removed

Executed:

UPDATE usertest.users SET password='secret_pw', first_name='John', last_name='Smith' where user_id = 1745;

Logged:

UPDATE usertest.users SET password=zzzzzz, first_name=xxxxx where user_id = 1745;

3) In this case password is removed

Executed:

UPDATE usertest.users SET last_name='Smith', password='secret_pw', first_name='John' where user_id = 1745;

Logged:

UPDATE usertest.users SET last_name=yyyyyy, first_name=xxxxx where user_id = 1745;

Could someone advice why it could happen and how it could be fixed or is there any other way to solve?

Sinto
  • 3,915
  • 11
  • 36
  • 70
Tadas
  • 73
  • 1
  • 4

1 Answers1

8

This is an issue with the regex pattern picking up more than you intend it to, so the replaces are overwriting each other.

I reproduced the issue you saw, and then changed the regex to include just alphanumerics (\w instead of .) so the pattern looks like this:

%replace(  %replace(  %replace(%msg){"first_name='\w*'", "first_name='xxxxx'"}  ){"last_name='\w*'", "last_name='yyyyyy'"}  ){"password='\w*'", "password='zzzzzz'"}%n

Here are some tests:

UPDATE usertest.users SET password='secret_pw', last_name='Smith', first_name='John' where user_id = 1745;
UPDATE usertest.users SET last_name='Smith', first_name='John', password='secret_pw' where user_id = 1745;
UPDATE usertest.users SET first_name='John', password='secret_pw', last_name='Smith' where user_id = 1745;
UPDATE usertest.users SET first_name='John', last_name='Smith', password='secret_pw' where user_id = 1745;

And the logging results:

Received: QUERY UPDATE usertest.users SET password='zzzzzz', last_name='yyyyyy', first_name='xxxxx' where user_id = 1745;[pageSize = 100], v=4/v4
Received: QUERY UPDATE usertest.users SET last_name='yyyyyy', first_name='xxxxx', password='zzzzzz' where user_id = 1745;[pageSize = 100], v=4/v4
Received: QUERY UPDATE usertest.users SET first_name='xxxxx', password='zzzzzz', last_name='yyyyyy' where user_id = 1745;[pageSize = 100], v=4/v4
Received: QUERY UPDATE usertest.users SET first_name='xxxxx', last_name='yyyyyy', password='zzzzzz' where user_id = 1745;[pageSize = 100], v=4/v4
Valerie Parham-Thompson
  • 1,516
  • 1
  • 11
  • 21
  • 1
    Thanks a lot, this is working! Also to be able to replace not only literals in password, I have modified regex to replace everything except quotation mark ([^']*). Will do a bit more testing, but seems it is working with all combinations of column name orders in CQL update statement. – Tadas Sep 16 '18 at 13:29