MqttConnectPayload.toString() includes password (#15547) (#15548)

jbertram · web-flow · commit 3d9861a44a57 · 2025-08-12T10:51:19.000+02:00
Motivation: See #15547 for the motivation for this change. Modification: 1-line change to `MqttConnectPayload.toString()` so that the `password` field is no longer included. Result: Password is no longer part of `toString()` which means it won't potentially be included in log files. Fixes #15547.
diff --git a/codec-mqtt/src/main/java/io/netty/handler/codec/mqtt/MqttConnectPayload.java b/codec-mqtt/src/main/java/io/netty/handler/codec/mqtt/MqttConnectPayload.java
@@ -130,7 +130,7 @@ public String toString() {
             .append(", willTopic=").append(willTopic)
             .append(", willMessage=").append(Arrays.toString(willMessage))
             .append(", userName=").append(userName)
-            .append(", password=").append(Arrays.toString(password))
+            .append(", password=").append("****")
             .append(']')
             .toString();
     }
diff --git a/codec-mqtt/src/test/java/io/netty/handler/codec/mqtt/MqttCodecTest.java b/codec-mqtt/src/test/java/io/netty/handler/codec/mqtt/MqttCodecTest.java
@@ -36,6 +36,7 @@
 import org.mockito.stubbing.Answer;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
 
@@ -57,6 +58,7 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertInstanceOf;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -79,6 +81,7 @@ public class MqttCodecTest {
     private static final String WILL_MESSAGE = "gone";
     private static final String USER_NAME = "happy_user";
     private static final String PASSWORD = "123_or_no_pwd";
+    private static final byte[] PASSWORD_BYTES = PASSWORD.getBytes(CharsetUtil.UTF_8);
 
     private static final int KEEP_ALIVE_SECONDS = 600;
 
@@ -216,6 +219,16 @@ public void testConnectMessageNonZeroReservedBit3Mqtt311() throws Exception {
         checkForSingleDecoderException(out);
     }
 
+    @Test
+    public void testConnectMessageForPassword311() throws Exception {
+        assertFalse(createConnectMessage(MqttVersion.MQTT_3_1).toString().contains(Arrays.toString(PASSWORD_BYTES)));
+    }
+
+    @Test
+    public void testConnectMessageForPassword5() throws Exception {
+        assertFalse(createConnectMessage(MqttVersion.MQTT_5).toString().contains(Arrays.toString(PASSWORD_BYTES)));
+    }
+
     @Test
     public void testSubscribeMessageNonZeroReservedBit0Mqtt311() throws Exception {
         final MqttSubscribeMessage message = createSubscribeMessage();

Original file line number	Diff line number	Diff line change
`@@ -130,7 +130,7 @@ public String toString() {`
`130`	`130`	`.append(", willTopic=").append(willTopic)`
`131`	`131`	`.append(", willMessage=").append(Arrays.toString(willMessage))`
`132`	`132`	`.append(", userName=").append(userName)`
`133`		`- .append(", password=").append(Arrays.toString(password))`
	`133`	`+ .append(", password=").append("****")`
`134`	`134`	`.append(']')`
`135`	`135`	`.toString();`
`136`	`136`	`}`