From 3f9c4bf90b523a7a035c799dac2eedbf03120845 Mon Sep 17 00:00:00 2001
From: Mike Perham <mperham@gmail.com>
Date: Wed, 1 Apr 2020 08:11:44 -0700
Subject: [PATCH] Deep clone options, fixes #4499

Ensures any password mangling doesn't affect the runtime options
---
 Changes.md                      |  1 +
 lib/sidekiq/redis_connection.rb |  5 +++--
 test/test_redis_connection.rb   | 23 +++++++++++++----------
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/Changes.md b/Changes.md
index ab09fff81..f71712611 100644
--- a/Changes.md
+++ b/Changes.md
@@ -8,6 +8,7 @@ HEAD
 - Refactor systemd integration to work better with custom binaries [#4511]
 - Don't connect to Redis at process exit if not needed [#4502]
 - Remove Redis connection naming [#4479]
+- Fix Redis Sentinel password redaction [#4499]
 
 6.0.6
 ---------
diff --git a/lib/sidekiq/redis_connection.rb b/lib/sidekiq/redis_connection.rb
index d290f024b..8527914a9 100644
--- a/lib/sidekiq/redis_connection.rb
+++ b/lib/sidekiq/redis_connection.rb
@@ -94,9 +94,10 @@ def client_opts(options)
       end
 
       def log_info(options)
-        # Don't log Redis AUTH password
         redacted = "REDACTED"
-        scrubbed_options = options.dup
+
+        # deep clone so we can muck with these options all we want
+        scrubbed_options = Marshal.load(Marshal.dump(options))
         if scrubbed_options[:url] && (uri = URI.parse(scrubbed_options[:url])) && uri.password
           uri.password = redacted
           scrubbed_options[:url] = uri.to_s
diff --git a/test/test_redis_connection.rb b/test/test_redis_connection.rb
index cd5cf703a..eb5855910 100644
--- a/test/test_redis_connection.rb
+++ b/test/test_redis_connection.rb
@@ -190,19 +190,22 @@ def server_connection(*args)
 
     describe 'logging redis options' do
       it 'redacts credentials' do
+        options = {
+          role: 'master',
+          master_name: 'mymaster',
+          sentinels: [
+            { host: 'host1', port: 26379, password: 'secret'},
+            { host: 'host2', port: 26379, password: 'secret'},
+            { host: 'host3', port: 26379, password: 'secret'},
+           ],
+           password: 'secret'
+        }
+
         output = capture_logging do
-          Sidekiq::RedisConnection.create(
-            role: 'master',
-            master_name: 'mymaster',
-            sentinels: [
-              { host: 'host1', port: 26379, password: 'secret'},
-              { host: 'host2', port: 26379, password: 'secret'},
-              { host: 'host3', port: 26379, password: 'secret'},
-             ],
-             password: 'secret'
-           )
+          Sidekiq::RedisConnection.create(options)
         end
 
+        refute_includes(options.inspect, "REDACTED")
         assert_includes(output, ':host=>"host1", :port=>26379, :password=>"REDACTED"')
         assert_includes(output, ':host=>"host2", :port=>26379, :password=>"REDACTED"')
         assert_includes(output, ':host=>"host3", :port=>26379, :password=>"REDACTED"')