Deep clone options, fixes #4499

Ensures any password mangling doesn't affect the runtime options
sidekiq · Apr 1, 2020 · 3f9c4bf · 3f9c4bf
1 parent 432f95f
commit 3f9c4bf
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 12 deletions.
diff --git a/Changes.md b/Changes.md
@@ -8,6 +8,7 @@ HEAD
 - Refactor systemd integration to work better with custom binaries [#4511]
 - Don't connect to Redis at process exit if not needed [#4502]
 - Remove Redis connection naming [#4479]
+- Fix Redis Sentinel password redaction [#4499]
 
 6.0.6
 ---------

diff --git a/lib/sidekiq/redis_connection.rb b/lib/sidekiq/redis_connection.rb
@@ -94,9 +94,10 @@ def client_opts(options)
       end
 
       def log_info(options)
-        # Don't log Redis AUTH password
         redacted = "REDACTED"
-        scrubbed_options = options.dup
+
+        # deep clone so we can muck with these options all we want
+        scrubbed_options = Marshal.load(Marshal.dump(options))
         if scrubbed_options[:url] && (uri = URI.parse(scrubbed_options[:url])) && uri.password
           uri.password = redacted
           scrubbed_options[:url] = uri.to_s

diff --git a/test/test_redis_connection.rb b/test/test_redis_connection.rb
@@ -190,19 +190,22 @@ def server_connection(*args)
 
     describe 'logging redis options' do
       it 'redacts credentials' do
+        options = {
+          role: 'master',
+          master_name: 'mymaster',
+          sentinels: [
+            { host: 'host1', port: 26379, password: 'secret'},
+            { host: 'host2', port: 26379, password: 'secret'},
+            { host: 'host3', port: 26379, password: 'secret'},
+           ],
+           password: 'secret'
+        }
+
         output = capture_logging do
-          Sidekiq::RedisConnection.create(
-            role: 'master',
-            master_name: 'mymaster',
-            sentinels: [
-              { host: 'host1', port: 26379, password: 'secret'},
-              { host: 'host2', port: 26379, password: 'secret'},
-              { host: 'host3', port: 26379, password: 'secret'},
-             ],
-             password: 'secret'
-           )
+          Sidekiq::RedisConnection.create(options)
         end
 
+        refute_includes(options.inspect, "REDACTED")
         assert_includes(output, ':host=>"host1", :port=>26379, :password=>"REDACTED"')
         assert_includes(output, ':host=>"host2", :port=>26379, :password=>"REDACTED"')
         assert_includes(output, ':host=>"host3", :port=>26379, :password=>"REDACTED"')