From 5f7bc587885ff92997236f174b4cb7166f114d50 Mon Sep 17 00:00:00 2001
From: badrAZ <azizbibadr@gmail.com>
Date: Wed, 19 Aug 2020 10:56:40 +0200
Subject: [PATCH] fix(xo-server/sensitive-values): obfuscate params containing
 "password" (#5220)

Fixes #5219
---
 CHANGELOG.unreleased.md                    |  2 ++
 packages/xo-server/src/sensitive-values.js | 13 ++++++-------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
index 7ff11e764..2951ef788 100644
--- a/CHANGELOG.unreleased.md
+++ b/CHANGELOG.unreleased.md
@@ -17,6 +17,7 @@
 - [Proxy/deploy] Fix `no such proxy ok` error on a failure trial start (PR [#5196](https://github.com/vatesfr/xen-orchestra/pull/5196))
 - [VM/snapshots] Fix redirection when creating a VM from a snapshot (PR [#5213](https://github.com/vatesfr/xen-orchestra/pull/5213))
 - [User] Fix `Incorrect password` error when changing password [#5218](https://github.com/vatesfr/xen-orchestra/issues/5218) (PR [#5221](https://github.com/vatesfr/xen-orchestra/pull/5221))
+- [Audit] Obfuscate sensitive data in `user.changePassword` action's records [#5219](https://github.com/vatesfr/xen-orchestra/issues/5219) (PR [#5220](https://github.com/vatesfr/xen-orchestra/pull/5220))
 
 ### Packages to release
 
@@ -35,6 +36,7 @@
 >
 > In case of conflict, the highest (lowest in previous list) `$version` wins.
 
+- xo-server patch
 - xo-server-sdn-controller patch
 - xo-server minor
 - xo-web minor
diff --git a/packages/xo-server/src/sensitive-values.js b/packages/xo-server/src/sensitive-values.js
index b36afd6bd..61dc78d28 100644
--- a/packages/xo-server/src/sensitive-values.js
+++ b/packages/xo-server/src/sensitive-values.js
@@ -26,16 +26,15 @@ export const merge = (newValue, oldValue) => {
 
 export const obfuscate = value => replace(value, OBFUSCATED_VALUE)
 
-const SENSITIVE_PARAMS = {
-  __proto__: null,
-  cifspassword: true,
-  password: true,
-  token: true,
-}
+const SENSITIVE_PARAMS = ['token', /password/i]
+const isSensitiveParam = name =>
+  SENSITIVE_PARAMS.some(pattern =>
+    typeof pattern === 'string' ? pattern === name : pattern.test(name)
+  )
 
 export function replace(value, replacement) {
   function helper(value, name) {
-    if (typeof value === 'string' && name in SENSITIVE_PARAMS) {
+    if (typeof value === 'string' && isSensitiveParam(name)) {
       return replacement
     }