diff --git a/server/src/main/java/com/cloud/api/ApiServer.java b/server/src/main/java/com/cloud/api/ApiServer.java index c78ac05102f8..ab6e4d90cfe9 100644 --- a/server/src/main/java/com/cloud/api/ApiServer.java +++ b/server/src/main/java/com/cloud/api/ApiServer.java @@ -41,6 +41,7 @@ import java.util.List; import java.util.Map; import java.util.Set; +import java.util.Arrays; import java.util.TimeZone; import java.util.concurrent.ExecutorService; import java.util.concurrent.LinkedBlockingQueue; @@ -624,10 +625,29 @@ public String handleRequest(final Map params, final String responseType, final S logger.error("invalid request, no command sent"); if (logger.isTraceEnabled()) { logger.trace("dumping request parameters"); - for (final Object key : params.keySet()) { - final String keyStr = (String)key; - final String[] value = (String[])params.get(key); - logger.trace(" key: " + keyStr + ", value: " + ((value == null) ? "'null'" : value[0])); + + // define sensitive fields that need to be masked in the logs + Set sensitiveFields = new HashSet<>(Arrays.asList( + "password", "secretkey", "apikey", "token", + "sessionkey", "accesskey", "signature", + "authorization", "credential", "secret" + )); + + for (final Object key : params.keySet()) { + final String keyStr = (String) key; + final String[] value = (String[]) params.get(key); + + boolean isSensitive = sensitiveFields.stream() + .anyMatch(field -> keyStr.toLowerCase().contains(field)); + + String logValue; + if (isSensitive) { + logValue = "******"; // mask sensitive values + } else { + logValue = (value == null) ? "'null'" : value[0]; + } + + logger.trace(" key: " + keyStr + ", value: " + logValue); } } throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, "Invalid request, no command sent");