Fix the bug that write redis sensitive command information to redis_cli historyfile (#11489)

Currently, we do not write the following sensitive commands into the ~/.rediscli_history file: ACL SETUSER username [rule [rule ...]] AUTH [username] password HELLO [AUTH username password] MIGRATE host port <key | ""> destination-db timeout [[AUTH password | AUTH2 username password]] CONFIG SET masterauth master-password CONFIG SET masteruser username CONFIG SET requirepass foobared However, we still write the following sensitive commands into the ~/.rediscli_history file: ACL GETUSER username Sentinel CONFIG set sentinel-pass password Sentinel CONFIG set sentinel-user username Sentinel set mastername auth-pass password Sentinel set mastername auth-user username This change adds the commands of the second list to be skipped from being written to the history file.
2023-11-05 07:20:15 -05:00 · 2023-11-05 07:20:15 -05:00 · 28b6155ba5
commit 28b6155ba5
parent 15a048d4f0
1 changed files with 25 additions and 4 deletions
--- a/src/redis-cli.c
+++ b/src/redis-cli.c
@ -3262,16 +3262,19 @@ void cliLoadPreferences(void) {
 /* Some commands can include sensitive information and shouldn't be put in the
 * history file. Currently these commands are include:
 * - AUTH
- * - ACL SETUSER
+ * - ACL SETUSER, ACL GETUSER
 * - CONFIG SET masterauth/masteruser/requirepass
 * - HELLO with [AUTH username password]
- * - MIGRATE with [AUTH password] or [AUTH2 username password] */
+ * - MIGRATE with [AUTH password] or [AUTH2 username password] 
+ * - SENTINEL CONFIG SET sentinel-pass password, SENTINEL CONFIG SET sentinel-user username 
+ * - SENTINEL SET <mastername> auth-pass password, SENTINEL SET <mastername> auth-user username */
 static int isSensitiveCommand(int argc, char **argv) {
    if (!strcasecmp(argv[0],"auth")) {
        return 1;
    } else if (argc > 1 &&
-        !strcasecmp(argv[0],"acl") &&
-        !strcasecmp(argv[1],"setuser"))
+        !strcasecmp(argv[0],"acl") && (
+            !strcasecmp(argv[1],"setuser") ||
+            !strcasecmp(argv[1],"getuser")))
    {
        return 1;
    } else if (argc > 2 &&
@ -3310,6 +3313,24 @@ static int isSensitiveCommand(int argc, char **argv) {
                return 0;
            }
        }
+    } else if (argc > 4 && !strcasecmp(argv[0], "sentinel")) {
+        /* SENTINEL CONFIG SET sentinel-pass password
+         * SENTINEL CONFIG SET sentinel-user username */
+        if (!strcasecmp(argv[1], "config") && 
+            !strcasecmp(argv[2], "set") &&
+            (!strcasecmp(argv[3], "sentinel-pass") ||
+             !strcasecmp(argv[3], "sentinel-user"))) 
+        {
+            return 1;
+        }
+        /* SENTINEL SET <mastername> auth-pass password 
+         * SENTINEL SET <mastername> auth-user username */
+        if (!strcasecmp(argv[1], "set") &&
+            (!strcasecmp(argv[3], "auth-pass") || 
+             !strcasecmp(argv[3], "auth-user"))) 
+        {
+            return 1;
+        }
    }
    return 0;
 }