93 lines
2.8 KiB
Bash
93 lines
2.8 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2026-06-11; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.live.builder
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
guard_sourcing || return "${ERR_GUARD_SRCE}"
|
|
|
|
#######################################
|
|
# Replaces exact registered secret values in one controlled log file.
|
|
# Globals:
|
|
# _ARY_SECRET_REDACTION_VALUES
|
|
# Arguments:
|
|
# 1: log file
|
|
# Returns:
|
|
# 0: on success or missing log
|
|
# ERR_SANITIZING: on failure
|
|
#######################################
|
|
sanitize_debug_log() {
|
|
declare log_file="$1" log_text="" replacement="" secret_value="" tmp_file=""
|
|
|
|
[[ -n "${log_file}" && -f "${log_file}" ]] || return 0
|
|
[[ ! -L "${log_file}" ]] || return "${ERR_SANITIZING:-133}"
|
|
|
|
log_text="$(cat "${log_file}" || exit $?; printf '.')" || return "${ERR_SANITIZING:-133}"
|
|
log_text="${log_text%.}"
|
|
|
|
for secret_value in "${_ARY_SECRET_REDACTION_VALUES[@]}"; do
|
|
[[ -n "${secret_value}" ]] || continue
|
|
printf -v replacement '%*s' "${#secret_value}" ''
|
|
replacement="${replacement// /*}"
|
|
log_text="${log_text//"${secret_value}"/"${replacement}"}"
|
|
done
|
|
|
|
tmp_file="$(mktemp "${log_file}.sanitize.XXXXXX")" || return "${ERR_SANITIZING:-133}"
|
|
chmod 0600 "${tmp_file}" || {
|
|
rm -f "${tmp_file}"
|
|
return "${ERR_SANITIZING:-133}"
|
|
}
|
|
printf '%s' "${log_text}" >| "${tmp_file}" || {
|
|
rm -f "${tmp_file}"
|
|
return "${ERR_SANITIZING:-133}"
|
|
}
|
|
mv -f "${tmp_file}" "${log_file}" || {
|
|
rm -f "${tmp_file}"
|
|
return "${ERR_SANITIZING:-133}"
|
|
}
|
|
|
|
return 0
|
|
}
|
|
### Prevents accidental 'unset -f'.
|
|
# shellcheck disable=SC2034
|
|
readonly -f sanitize_debug_log
|
|
|
|
#######################################
|
|
# Runs the final exact-value sanitisation pass for controlled logs.
|
|
# Globals:
|
|
# LOG_DEBUG
|
|
# LOG_ERROR
|
|
# LOG_VAR
|
|
# Arguments:
|
|
# None
|
|
# Returns:
|
|
# 0: on success
|
|
# ERR_SANITIZING: on failure
|
|
#######################################
|
|
sanitize_debug_logs() {
|
|
declare log_file=""
|
|
declare -a log_files=("${LOG_DEBUG:-}" "${LOG_VAR:-}" "${LOG_ERROR:-}")
|
|
|
|
set +x
|
|
if [[ -e "/proc/$$/fd/42" || -e "/dev/fd/42" ]]; then
|
|
exec 42>&-
|
|
fi
|
|
|
|
for log_file in "${log_files[@]}"; do
|
|
sanitize_debug_log "${log_file}" || return "${ERR_SANITIZING:-133}"
|
|
done
|
|
|
|
return 0
|
|
}
|
|
### Prevents accidental 'unset -f'.
|
|
# shellcheck disable=SC2034
|
|
readonly -f sanitize_debug_logs
|
|
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|