Masks sensitive data in the supplied message >>> maskSensitiveData('python sqlmap.py -u "http://www.test.com/vuln.php?id=1" --banner') == 'python sqlmap.py -u *********************************** --banner' True >>> maskSensitiveData('sqlmap.py -u test.com/index.go?id=index --auth-ty
(msg)
| 4032 | logger.warning(warnMsg) |
| 4033 | |
| 4034 | def maskSensitiveData(msg): |
| 4035 | """ |
| 4036 | Masks sensitive data in the supplied message |
| 4037 | |
| 4038 | >>> maskSensitiveData('python sqlmap.py -u "http://www.test.com/vuln.php?id=1" --banner') == 'python sqlmap.py -u *********************************** --banner' |
| 4039 | True |
| 4040 | >>> maskSensitiveData('sqlmap.py -u test.com/index.go?id=index --auth-type=basic --auth-creds=foo:bar\\ndummy line') == 'sqlmap.py -u ************************** --auth-type=***** --auth-creds=*******\\ndummy line' |
| 4041 | True |
| 4042 | """ |
| 4043 | |
| 4044 | retVal = getUnicode(msg) |
| 4045 | |
| 4046 | for item in filterNone(conf.get(_) for _ in SENSITIVE_OPTIONS): |
| 4047 | if isListLike(item): |
| 4048 | item = listToStrValue(item) |
| 4049 | |
| 4050 | regex = SENSITIVE_DATA_REGEX % re.sub(r"(\W)", r"\\\1", getUnicode(item)) |
| 4051 | while extractRegexResult(regex, retVal): |
| 4052 | value = extractRegexResult(regex, retVal) |
| 4053 | retVal = retVal.replace(value, '*' * len(value)) |
| 4054 | |
| 4055 | # Just in case (for problematic parameters regarding user encoding) |
| 4056 | for match in re.finditer(r"(?im)[ -]-(u|url|data|cookie|auth-\w+|proxy|host|referer|headers?|H)( |=)(.*?)(?= -?-[a-z]|$)", retVal): |
| 4057 | retVal = retVal.replace(match.group(3), '*' * len(match.group(3))) |
| 4058 | |
| 4059 | # Fail-safe substitutions |
| 4060 | retVal = re.sub(r"(?i)(Command line:.+)\b(https?://[^ ]+)", lambda match: "%s%s" % (match.group(1), '*' * len(match.group(2))), retVal) |
| 4061 | retVal = re.sub(r"(?i)(\b\w:[\\/]+Users[\\/]+|[\\/]+home[\\/]+)([^\\/]+)", lambda match: "%s%s" % (match.group(1), '*' * len(match.group(2))), retVal) |
| 4062 | |
| 4063 | if getpass.getuser(): |
| 4064 | retVal = re.sub(r"(?i)\b%s\b" % re.escape(getpass.getuser()), '*' * len(getpass.getuser()), retVal) |
| 4065 | |
| 4066 | return retVal |
| 4067 | |
| 4068 | def listToStrValue(value): |
| 4069 | """ |
no test coverage detected
searching dependent graphs…