From 7337eb6b800caec6ac1216a48ec2d5c1c82f6341 Mon Sep 17 00:00:00 2001
From: Waldemar Quevedo <wally@synadia.com>
Date: Thu, 13 Sep 2018 12:49:00 -0700
Subject: [PATCH] Fix regex matching group for removing password

Signed-off-by: Waldemar Quevedo <wally@synadia.com>
---
 server/client.go   | 4 ++--
 server/log_test.go | 7 +++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/server/client.go b/server/client.go
index 593f5779..9a09cef3 100644
--- a/server/client.go
+++ b/server/client.go
@@ -706,7 +706,7 @@ func (c *client) processErr(errStr string) {
 }
 
 // Password pattern matcher.
-var passPat = regexp.MustCompile(`"?\s*pass\S*\s*"?\s*[:=]\s*("?[^\s,}$]*)`)
+var passPat = regexp.MustCompile(`"?\s*pass\S*?"?[:=]\s*"?(([^"])*)`)
 
 // This will remove any notion of passwords from trace messages
 // for logging.
@@ -721,7 +721,7 @@ func removePassFromTrace(arg []byte) []byte {
 	}
 
 	for _, match := range m {
-		if len(match) != 2 {
+		if len(match) != 3 {
 			continue
 		}
 		arg = bytes.Replace(arg, match[1], []byte("[REDACTED]"), 1)
diff --git a/server/log_test.go b/server/log_test.go
index d74b9e66..d9b06822 100644
--- a/server/log_test.go
+++ b/server/log_test.go
@@ -228,7 +228,10 @@ func TestRemovePassFromTrace(t *testing.T) {
 	check(removePassFromTrace([]byte("CONNECT {\"user\":\"derek\",\"pass\":\"s3cr3t\"}\r\n")))
 	check(removePassFromTrace([]byte("CONNECT {\"user\":\"derek\",\"pass\":  \"s3cr3t\"}\r\n")))
 	check(removePassFromTrace([]byte("CONNECT {\"user\":\"derek\",\"pass\":    \"s3cr3t\"     }\r\n")))
-	check(removePassFromTrace([]byte("CONNECT {\"password\":\"s3cr3t\",}\r\n")))
-	check(removePassFromTrace([]byte("CONNECT {pass:s3cr3t\r\n")))
+	check(removePassFromTrace([]byte("CONNECT {\"pass\":\"s3cr3t\",}\r\n")))
 	check(removePassFromTrace([]byte("CONNECT {pass:s3cr3t ,   password =  s3cr3t}")))
+	check(removePassFromTrace([]byte("CONNECT {\"echo\":true,\"verbose\":false,\"pedantic\":false,\"user\":\"foo\",\"pass\":\"s3cr3t\",\"tls_required\":false,\"name\":\"APM7JU94z77YzP6WTBEiuw\"}\r\n")))
+	check(removePassFromTrace([]byte("CONNECT {pass:s3cr3t\r\n")))
+	check(removePassFromTrace([]byte("CONNECT {\"password\":\"s3cr3t\",}\r\n")))
+	check(removePassFromTrace([]byte("CONNECT {\"echo\":true,\"verbose\":false,\"pedantic\":false,\"user\":\"foo\",\"password\":\"s3cr3t\",\"tls_required\":false,\"name\":\"APM7JU94z77YzP6WTBEiuw\"}\r\n")))
 }