From 96757f0c58432f982976340c0622b17c3e10d124 Mon Sep 17 00:00:00 2001
From: jean-philippe bempel <jean-philippe.bempel@datadoghq.com>
Date: Thu, 2 Apr 2020 17:54:02 +0200
Subject: [PATCH] Remove sensitive information from debug log

Config.toString() method is dumped when logging in debug the conf.
It includes in some case the profile api key when used with env vars.
Also proxy password is also dumped.
toString method generated by Lombok now excludes both fields
---
 .../src/main/java/datadog/trace/api/Config.java     |  2 +-
 .../test/groovy/datadog/trace/api/ConfigTest.groovy | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/dd-trace-api/src/main/java/datadog/trace/api/Config.java b/dd-trace-api/src/main/java/datadog/trace/api/Config.java
index e9b6e9c816..72ed152750 100644
--- a/dd-trace-api/src/main/java/datadog/trace/api/Config.java
+++ b/dd-trace-api/src/main/java/datadog/trace/api/Config.java
@@ -38,7 +38,7 @@ import lombok.extern.slf4j.Slf4j;
  * system property, but uppercased with '.' -> '_'.
  */
 @Slf4j
-@ToString(includeFieldNames = true)
+@ToString(includeFieldNames = true, exclude = {"profilingApiKey", "profilingProxyPassword"})
 public class Config {
   /** Config keys below */
   private static final String PREFIX = "dd.";
diff --git a/dd-trace-api/src/test/groovy/datadog/trace/api/ConfigTest.groovy b/dd-trace-api/src/test/groovy/datadog/trace/api/ConfigTest.groovy
index db37f07a6a..82e29caab6 100644
--- a/dd-trace-api/src/test/groovy/datadog/trace/api/ConfigTest.groovy
+++ b/dd-trace-api/src/test/groovy/datadog/trace/api/ConfigTest.groovy
@@ -406,6 +406,19 @@ class ConfigTest extends DDSpecification {
     config.profilingApiKey == "test-api-key"
   }
 
+  def "sensitive information removed for toString/debug log"() {
+    setup:
+    environmentVariables.set(DD_PROFILING_API_KEY_ENV, "test-secret-api-key")
+    environmentVariables.set(PROFILING_PROXY_PASSWORD, "test-secret-proxy-password")
+
+    when:
+    def config = new Config()
+
+    then:
+    !config.toString().contains("test-secret-api-key")
+    !config.toString().contains("test-secret-proxy-password")
+  }
+
   def "sys props override env vars"() {
     setup:
     environmentVariables.set(DD_SERVICE_NAME_ENV, "still something else")