File CVE-2022-0718.patch of Package python-oslo.utils.39639

Index: oslo.utils-4.1.1/oslo_utils/strutils.py
===================================================================
--- oslo.utils-4.1.1.orig/oslo_utils/strutils.py
+++ oslo.utils-4.1.1/oslo_utils/strutils.py
@@ -74,6 +74,7 @@ _SANITIZE_KEYS = ['adminpass', 'admin_pa
 # for XML and JSON automatically.
 _SANITIZE_PATTERNS_2 = {}
 _SANITIZE_PATTERNS_1 = {}
+_SANITIZE_PATTERNS_WILDCARD = {}
 
 # NOTE(amrith): Some regular expressions have only one parameter, some
 # have two parameters. Use different lists of patterns here.
@@ -89,6 +90,7 @@ _FORMAT_PATTERNS_2 = [r'(%(key)s[0-9]*\s
                       r'([\'"][^\'"]*%(key)s[0-9]*[\'"]\s*,\s*\'--?[A-z]+'
                       r'\'\s*,\s*u?[\'"])[^\"\']*([\'"])',
                       r'(%(key)s[0-9]*\s*--?[A-z]+\s*)\S+(\s*)']
+_FORMAT_PATTERNS_WILDCARD = [r'([\'\"][^\"\']*%(key)s[0-9]*[\'\"]\s*:\s*u?[\'\"].*[\'\"])[^\"\']*([\'\"])']  # noqa: E501
 
 # NOTE(dhellmann): Keep a separate list of patterns by key so we only
 # need to apply the substitutions for keys we find using a quick "in"
@@ -96,6 +98,7 @@ _FORMAT_PATTERNS_2 = [r'(%(key)s[0-9]*\s
 for key in _SANITIZE_KEYS:
     _SANITIZE_PATTERNS_1[key] = []
     _SANITIZE_PATTERNS_2[key] = []
+    _SANITIZE_PATTERNS_WILDCARD[key] = []
 
     for pattern in _FORMAT_PATTERNS_2:
         reg_ex = re.compile(pattern % {'key': key}, re.DOTALL | re.IGNORECASE)
@@ -105,6 +108,10 @@ for key in _SANITIZE_KEYS:
         reg_ex = re.compile(pattern % {'key': key}, re.DOTALL | re.IGNORECASE)
         _SANITIZE_PATTERNS_1[key].append(reg_ex)
 
+    for pattern in _FORMAT_PATTERNS_WILDCARD:
+        reg_ex = re.compile(pattern % {'key': key}, re.DOTALL | re.IGNORECASE)
+        _SANITIZE_PATTERNS_WILDCARD[key].append(reg_ex)
+
 
 def int_from_bool_as_string(subject):
     """Interpret a string as a boolean and return either 1 or 0.
@@ -332,6 +339,7 @@ def mask_password(message, secret="***")
 
     substitute1 = r'\g<1>' + secret
     substitute2 = r'\g<1>' + secret + r'\g<2>'
+    substitute_wildcard = r'\g<1>'
 
     # NOTE(ldbragst): Check to see if anything in message contains any key
     # specified in _SANITIZE_KEYS, if not then just return the message since
@@ -342,7 +350,12 @@ def mask_password(message, secret="***")
                 message = re.sub(pattern, substitute2, message)
             for pattern in _SANITIZE_PATTERNS_1[key]:
                 message = re.sub(pattern, substitute1, message)
-
+            # NOTE(hberaud): Those case are poorly handled by previous
+            # patterns. They are passwords with quotes or double quotes.
+            # They also needs a different way to substitute group this is why
+            # they aren't fix in the pattern 1 or 2.
+            for pattern in _SANITIZE_PATTERNS_WILDCARD[key]:
+                message = re.sub(pattern, substitute_wildcard, message)
     return message
 
 
Index: oslo.utils-4.1.1/oslo_utils/tests/test_strutils.py
===================================================================
--- oslo.utils-4.1.1.orig/oslo_utils/tests/test_strutils.py
+++ oslo.utils-4.1.1/oslo_utils/tests/test_strutils.py
@@ -618,11 +618,20 @@ class MaskPasswordTestCase(test_base.Bas
         expected = 'test = "param1" : "value"'
         self.assertEqual(expected, strutils.mask_password(payload))
 
+        payload = 'test = "original_password" : "aaaaa"aaaa"'
+        expected = 'test = "original_password" : "***"'
+        self.assertEqual(expected, strutils.mask_password(payload))
+
         payload = """{'adminPass':'TL0EfN33'}"""
         payload = six.text_type(payload)
         expected = """{'adminPass':'***'}"""
         self.assertEqual(expected, strutils.mask_password(payload))
 
+        payload = """{'adminPass':'TL0E'fN33'}"""
+        payload = six.text_type(payload)
+        expected = """{'adminPass':'***'}"""
+        self.assertEqual(expected, strutils.mask_password(payload))
+
         payload = """{'token':'mytoken'}"""
         payload = six.text_type(payload)
         expected = """{'token':'***'}"""
@@ -697,6 +706,11 @@ class MaskDictionaryPasswordTestCase(tes
         expected = {'password': '***'}
         self.assertEqual(expected,
                          strutils.mask_dict_password(payload))
+
+        payload = {'password': 'TL0Ef"N33'}
+        expected = {'password': '***'}
+        self.assertEqual(expected,
+                         strutils.mask_dict_password(payload))
 
         payload = {'user': 'admin', 'password': 'TL0EfN33'}
         expected = {'user': 'admin', 'password': '***'}
Index: oslo.utils-4.1.1/releasenotes/notes/fix_mask_password_regex-c0661f95a23369a4.yaml
===================================================================
--- /dev/null
+++ oslo.utils-4.1.1/releasenotes/notes/fix_mask_password_regex-c0661f95a23369a4.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fix regex used to mask password. The ``strutils.mask_password``
+    function will now correctly handle passwords that contain
+    single or double quotes. Previously, only the characters before the
+    quote were masked.