V9.14.022.2026.06.11: add path security helpers

lib/lib_debug_sanitizer.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-06-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SRCE}"
+
+#######################################
+# Replaces exact registered secret values in one controlled log file.
+# Globals:
+#   _ARY_SECRET_REDACTION_VALUES
+# Arguments:
+#   1: log file
+# Returns:
+#   0: on success or missing log
+#   ERR_SANITIZING: on failure
+#######################################
+sanitize_debug_log() {
+  declare log_file="$1" log_text="" replacement="" secret_value="" tmp_file=""
+
+  [[ -n "${log_file}" && -f "${log_file}" ]] || return 0
+  [[ ! -L "${log_file}" ]] || return "${ERR_SANITIZING:-133}"
+
+  log_text="$(cat "${log_file}" || exit $?; printf '.')" || return "${ERR_SANITIZING:-133}"
+  log_text="${log_text%.}"
+
+  for secret_value in "${_ARY_SECRET_REDACTION_VALUES[@]}"; do
+    [[ -n "${secret_value}" ]] || continue
+    printf -v replacement '%*s' "${#secret_value}" ''
+    replacement="${replacement// /*}"
+    log_text="${log_text//"${secret_value}"/"${replacement}"}"
+  done
+
+  tmp_file="$(mktemp "${log_file}.sanitize.XXXXXX")" || return "${ERR_SANITIZING:-133}"
+  chmod 0600 "${tmp_file}" || {
+    rm -f "${tmp_file}"
+    return "${ERR_SANITIZING:-133}"
+  }
+  printf '%s' "${log_text}" >| "${tmp_file}" || {
+    rm -f "${tmp_file}"
+    return "${ERR_SANITIZING:-133}"
+  }
+  mv -f "${tmp_file}" "${log_file}" || {
+    rm -f "${tmp_file}"
+    return "${ERR_SANITIZING:-133}"
+  }
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f sanitize_debug_log
+
+#######################################
+# Runs the final exact-value sanitisation pass for controlled logs.
+# Globals:
+#   LOG_DEBUG
+#   LOG_ERROR
+#   LOG_VAR
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_SANITIZING: on failure
+#######################################
+sanitize_debug_logs() {
+  declare log_file=""
+  declare -a log_files=("${LOG_DEBUG:-}" "${LOG_VAR:-}" "${LOG_ERROR:-}")
+
+  set +x
+  if [[ -e "/proc/$$/fd/42" || -e "/dev/fd/42" ]]; then
+    exec 42>&-
+  fi
+
+  for log_file in "${log_files[@]}"; do
+    sanitize_debug_log "${log_file}" || return "${ERR_SANITIZING:-133}"
+  done
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f sanitize_debug_logs
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh