Merge pull request #16555 from nextcloud/fix/16529/mask-keys

use a pattern to identify sensitive config keys

2 files changed, 7 insertions, 4 deletions

diff --git a/lib/private/AppConfig.php b/lib/private/AppConfig.php
index 6d24ca5fa8e..8e921dbb7cf 100644
--- a/lib/private/AppConfig.php
+++ b/lib/private/AppConfig.php
@@ -44,10 +44,10 @@ class AppConfig implements IAppConfig {
 	/** @var array[] */
 	protected $sensitiveValues = [
 		'spreed' => [
-			'turn_server_secret',
+			'/^turn_server_secret$/',
 		],
 		'user_ldap' => [
-			'ldap_agent_password',
+			'/^(s..)?ldap_agent_password$/',
 		],
 	];
 
@@ -289,8 +289,9 @@ class AppConfig implements IAppConfig {
 		$values = $this->getValues($app, false);
 
 		if (isset($this->sensitiveValues[$app])) {
-			foreach ($this->sensitiveValues[$app] as $sensitiveKey) {
-				if (isset($values[$sensitiveKey])) {
+			foreach ($this->sensitiveValues[$app] as $sensitiveKeyExp) {
+				$sensitiveKeys = preg_grep($sensitiveKeyExp, array_keys($values));
+				foreach ($sensitiveKeys as $sensitiveKey) {
 					$values[$sensitiveKey] = IConfig::SENSITIVE_VALUE;
 				}
 			}
diff --git a/tests/lib/AppConfigTest.php b/tests/lib/AppConfigTest.php
index fed929352d3..9456fe4c232 100644
--- a/tests/lib/AppConfigTest.php
+++ b/tests/lib/AppConfigTest.php
@@ -318,12 +318,14 @@ class AppConfigTest extends TestCase {
 			->with('user_ldap', false)
 			->willReturn([
 				'ldap_agent_password' => 'secret',
+				's42ldap_agent_password' => 'secret',
 				'ldap_dn' => 'dn',
 			]);
 
 		$values = $config->getFilteredValues('user_ldap');
 		$this->assertEquals([
 			'ldap_agent_password' => IConfig::SENSITIVE_VALUE,
+			's42ldap_agent_password' => IConfig::SENSITIVE_VALUE,
 			'ldap_dn' => 'dn',
 		], $values);
 	}