Merge pull request #1841 from hugoaboud/master

Security Patch: Sanitize credentials on websocket error messages

pkg/core/core_test.go

@@ -118,3 +118,17 @@ func TestName(t *testing.T) {
 	// stage3
 	_ = prod2.Stop()
 }
+
+func TestStripUserinfo(t *testing.T) {
+	s := `streams:
+  test:
+    - ffmpeg:rtsp://username:password@10.1.2.3:554/stream1
+    - ffmpeg:rtsp://10.1.2.3:554/stream1@#video=copy
+`
+	s = StripUserinfo(s)
+	require.Equal(t, `streams:
+  test:
+    - ffmpeg:rtsp://***@10.1.2.3:554/stream1
+    - ffmpeg:rtsp://10.1.2.3:554/stream1@#video=copy
+`, s)
+}

pkg/core/helpers.go

@@ -2,6 +2,7 @@ package core
 
 import (
 	"crypto/rand"
+	"regexp"
 	"runtime"
 	"strconv"
 	"strings"
@@ -77,3 +78,14 @@ func Caller() string {
 	_, file, line, _ := runtime.Caller(1)
 	return file + ":" + strconv.Itoa(line)
 }
+
+const (
+	unreserved = `A-Za-z0-9-._~`
+	subdelims  = `!$&'()*+,;=`
+	userinfo   = unreserved + subdelims + `%:`
+)
+
+func StripUserinfo(s string) string {
+	sanitizer := regexp.MustCompile(`://[` + userinfo + `]+@`)
+	return sanitizer.ReplaceAllString(s, `://***@`)
+}