sensitive information check: ignore use-password

platform/configuration-store-impl/testSrc/xml/ForbidSensitiveInformationTest.kt

+// Copyright 2000-2018 JetBrains s.r.o. Use of this source code is governed by the Apache 2.0 license that can be found in the LICENSE file.
+package com.intellij.configurationStore.xml
+
+import com.intellij.configurationStore.JbXmlOutputter
+import com.intellij.openapi.util.io.FileUtilRt
+import com.intellij.testFramework.assertions.Assertions.assertThat
+import com.intellij.util.SystemProperties
+import com.intellij.util.xmlb.annotations.Attribute
+import com.intellij.util.xmlb.annotations.OptionTag
+import com.intellij.util.xmlb.annotations.Tag
+import org.assertj.core.api.Assertions.assertThatThrownBy
+import org.junit.Test
+import java.io.StringWriter
+
+internal class ForbidSensitiveInformationTest {
+  @Test
+  fun `do not store password as attribute`() {
+    @Tag("bean")
+    class Bean {
+      @Attribute
+      var password: String? = null
+
+      @Attribute
+      var foo: String? = null
+    }
+
+    val bean = Bean()
+    bean.foo = "module"
+    bean.password = "ab"
+    // it is not part of XML bindings to ensure that even if you will use JDOM directly, you cannot output sensitive data
+    // so, testSerializer must not throw error
+    val element = assertSerializer(bean, "<bean password=\"ab\" foo=\"module\" />")
+
+    assertThatThrownBy {
+      val xmlWriter = JbXmlOutputter()
+      xmlWriter.output(element, StringWriter())
+    }.hasMessage("Attribute \"password\" probably contains sensitive information")
+  }
+
+  @Test
+  fun `do not store password as element`() {
+    @Tag("bean")
+    class Bean {
+      var password: String? = null
+
+      @Attribute
+      var foo: String? = null
+    }
+
+    val bean = Bean()
+    bean.foo = "module"
+    bean.password = "ab"
+    // it is not part of XML bindings to ensure that even if you will use JDOM directly, you cannot output sensitive data
+    // so, testSerializer must not throw error
+    val element = assertSerializer(bean, """
+        <bean foo="module">
+          <option name="password" value="ab" />
+        </bean>
+      """.trimIndent())
+
+    assertThatThrownBy {
+      val xmlWriter = JbXmlOutputter(
+        storageFilePathForDebugPurposes = "${FileUtilRt.toSystemIndependentName(SystemProperties.getUserHome())}/foo/bar.xml")
+      xmlWriter.output(element, StringWriter())
+    }.hasMessage("Element \"password\" probably contains sensitive information (file: ~/foo/bar.xml)")
+  }
+
+  @Test
+  fun `configuration name with password word`() {
+    @Tag("bean")
+    class Bean {
+      @OptionTag(tag = "configuration", valueAttribute = "bar")
+      var password: String? = null
+
+      // check that use or save password fields are ignored
+      var usePassword = false
+      var savePassword = false
+      var rememberPassword = false
+      @Attribute("keep-password")
+      var keepPassword = false
+    }
+
+    val bean = Bean()
+    bean.password = "ab"
+    bean.usePassword = true
+    bean.keepPassword = true
+    bean.rememberPassword = true
+    bean.savePassword = true
+    // it is not part of XML bindings to ensure that even if you will use JDOM directly, you cannot output sensitive data
+    // so, testSerializer must not throw error
+    val element = assertSerializer(bean, """
+      <bean keep-password="true">
+        <option name="rememberPassword" value="true" />
+        <option name="savePassword" value="true" />
+        <option name="usePassword" value="true" />
+        <configuration name="password" bar="ab" />
+      </bean>
+      """.trimIndent())
+
+    val xmlWriter = JbXmlOutputter()
+    val stringWriter = StringWriter()
+    xmlWriter.output(element, stringWriter)
+    assertThat(stringWriter.toString()).isEqualTo("""
+        <bean keep-password="true">
+          <option name="rememberPassword" value="true" />
+          <option name="savePassword" value="true" />
+          <option name="usePassword" value="true" />
+          <configuration name="password" bar="ab" />
+        </bean>
+      """.trimIndent())
+  }
+}
\ No newline at end of file

platform/configuration-store-impl/testSrc/xml/XmlSerializerTest.kt

@@ -3,25 +3,23 @@
 
 package com.intellij.configurationStore.xml
 
-import com.intellij.configurationStore.*
-import com.intellij.openapi.util.io.FileUtilRt
+import com.intellij.configurationStore.StoredPropertyStateTest
+import com.intellij.configurationStore.clearBindingCache
+import com.intellij.configurationStore.deserialize
+import com.intellij.configurationStore.serialize
 import com.intellij.openapi.util.text.StringUtil
 import com.intellij.testFramework.UsefulTestCase
 import com.intellij.testFramework.assertConcurrent
 import com.intellij.testFramework.assertions.Assertions.assertThat
-import com.intellij.util.SystemProperties
 import com.intellij.util.loadElement
 import com.intellij.util.xmlb.*
 import com.intellij.util.xmlb.annotations.*
-import com.intellij.util.xmlb.annotations.Property
 import junit.framework.TestCase
-import org.assertj.core.api.Assertions.assertThatThrownBy
 import org.intellij.lang.annotations.Language
 import org.jdom.Element
 import org.junit.Test
 import org.junit.runner.RunWith
 import org.junit.runners.Suite
-import java.io.StringWriter
 import java.util.*
 
 @RunWith(Suite::class)
@@ -34,7 +32,8 @@ import java.util.*
   KotlinXmlSerializerTest::class,
   XmlSerializerConversionTest::class,
   XmlSerializerListTest::class,
-  XmlSerializerSetTest::class
+  XmlSerializerSetTest::class,
+  ForbidSensitiveInformationTest::class
 )
 class XmlSerializerTestSuite
 
@@ -650,85 +649,6 @@ internal class XmlSerializerTest {
     testSerializer("<bean ab=\"ab\" module=\"module\" />", bean, SkipDefaultsSerializationFilter())
   }
 
-  @Test
-  fun `do not store password as attribute`() {
-    @Tag("bean")
-    class Bean {
-      @Attribute
-      var password: String? = null
-
-      @Attribute
-      var foo: String? = null
-    }
-
-    val bean = Bean()
-    bean.foo = "module"
-    bean.password = "ab"
-    // it is not part of XML bindings to ensure that even if you will use JDOM directly, you cannot output sensitive data
-    // so, testSerializer must not throw error
-    val element = assertSerializer(bean, "<bean password=\"ab\" foo=\"module\" />")
-
-    assertThatThrownBy {
-      val xmlWriter = JbXmlOutputter()
-      xmlWriter.output(element, StringWriter())
-    }.hasMessage("Attribute \"password\" probably contains sensitive information")
-  }
-
-  @Test
-  fun `do not store password as element`() {
-    @Tag("bean")
-    class Bean {
-      var password: String? = null
-
-      @Attribute
-      var foo: String? = null
-    }
-
-    val bean = Bean()
-    bean.foo = "module"
-    bean.password = "ab"
-    // it is not part of XML bindings to ensure that even if you will use JDOM directly, you cannot output sensitive data
-    // so, testSerializer must not throw error
-    val element = assertSerializer(bean, """
-      <bean foo="module">
-        <option name="password" value="ab" />
-      </bean>
-    """.trimIndent())
-
-    assertThatThrownBy {
-      val xmlWriter = JbXmlOutputter(storageFilePathForDebugPurposes = "${FileUtilRt.toSystemIndependentName(SystemProperties.getUserHome())}/foo/bar.xml")
-      xmlWriter.output(element, StringWriter())
-    }.hasMessage("Element \"password\" probably contains sensitive information (file: ~/foo/bar.xml)")
-  }
-
-  @Test
-  fun `configuration name with password word`() {
-    @Tag("bean")
-    class Bean {
-      @OptionTag(tag ="configuration", valueAttribute = "bar")
-      var password: String? = null
-    }
-
-    val bean = Bean()
-    bean.password = "ab"
-    // it is not part of XML bindings to ensure that even if you will use JDOM directly, you cannot output sensitive data
-    // so, testSerializer must not throw error
-    val element = assertSerializer(bean, """
-     <bean>
-       <configuration name="password" bar="ab" />
-     </bean>
-    """.trimIndent())
-
-    val xmlWriter = JbXmlOutputter()
-    val stringWriter = StringWriter()
-    xmlWriter.output(element, stringWriter)
-    assertThat(stringWriter.toString()).isEqualTo("""
-      <bean>
-        <configuration name="password" bar="ab" />
-      </bean>
-    """.trimIndent())
-  }
-
   @Test
   fun cdataAfterNewLine() {
     @Tag("bean")

platform/projectModel-impl/src/com/intellij/configurationStore/BaseXmlOutputter.kt

@@ -9,9 +9,14 @@ import java.io.Writer
 abstract class BaseXmlOutputter(protected val lineSeparator: String) {
   companion object {
     fun isNameIndicatesSensitiveInformation(name: String): Boolean {
-      return name.contains("password") && !(name.contains("remember", ignoreCase = true) ||
-                                            name.contains("keep", ignoreCase = true) ||
-                                            name.contains("save", ignoreCase = true))
+      if (name.contains("password")) {
+        val isRemember = name.contains("remember", ignoreCase = true) ||
+                         name.contains("keep", ignoreCase = true) ||
+                         name.contains("use", ignoreCase = true) ||
+                         name.contains("save", ignoreCase = true)
+        return !isRemember
+      }
+      return false
     }
   }
 

platform/projectModel-impl/src/com/intellij/configurationStore/JbXmlOutputter.kt

@@ -508,7 +508,7 @@ open class JbXmlOutputter @JvmOverloads constructor(lineSeparator: String = "\n"
     var name: String? = element.name
 
     @Suppress("SpellCheckingInspection")
-    if (BaseXmlOutputter.isNameIndicatesSensitiveInformation(name!!)) {
+    if (isNameIndicatesSensitiveInformation(name!!)) {
       logSensitiveInformationError(name, "Element")
     }