Powershell Regex to mask passwords?

This topic contains 6 replies, has 2 voices, and was last updated by Profile photo of Alessandro Alessandro 1 week, 4 days ago.

  • Author
    Posts
  • #66009
    Profile photo of Alessandro
    Alessandro
    Participant

    Hi Folks,
    I'm new to this forum, but have been searching for some advice/answers on something I am trying to implement.

    I have files (web.config or connections.config) that contain the database connection strings with the password in clear text.
    I need to scrape the files in search of every and any instance of the password and replace with XXXXX for example.

    My problem is that there are many ways to define the connection (in the XML web.config file), so instead of trying to use the XML tags, I thought it might be possible to use regex to do what I need?

    In short, I would need to find any occurrence of password=gdgdgdgdgdg; or pwd=hhdhdhdhd" or any combination of Password/pwd/Pwd and with spaces before and after the equals signs etc.

    So I would search for a string (one example would be: ;password=, then replace everything up to next colon (;)
    So there would be a lot of strings ( ;password= or ;password = or ;PWD= or ;Pwd = ) etc.
    but what I am hoping is possible is that once it finds all and any of the strings, it can replace everything up to the next occurence of a colon?

    I was able to test on regex101.com using this:

    example ;Password=abcdefg;

    Regex:
    ;(Password=)([^;*);

    That was finding the text after the equals sign and before the next colon in the group2 match

    However, I could not figure out how to do that in powershell regex. I could use the -match to find password=, but I couldn't work out how to make powershell find the string and then the text after the string Before the next colon occurence.

    Sorry, if I am not explaining it clearly – I hope someone can give me some advice or sample powershell code to find that string and then replace everything after the string before the colon

    Any advice would be really appreciated!
    Thanks
    Alex.

  • #66085
    Profile photo of Olaf Soyk
    Olaf Soyk
    Participant

    This might explain it a little how to do it in Powershell

    'example ;Password=abcdefg;' -match 'Password=(.*?);'
    $Matches

    To replace the clear text passwords is a little more complex. You could try it this way:

    'example ;Password= abcdefg;' -replace "(?< =Password=\s*).*?(?=;)",'WhatEverYouLike'
    • #66103
      Profile photo of Alessandro
      Alessandro
      Participant

      Hey Olaf, any chance you could provide a more detailed snippet of code for the line to do the lookup and replace?

    • #66108
      Profile photo of Alessandro
      Alessandro
      Participant

      I've tried a very simple attempt:

      $content = Get-Content -path "c:\temp\web.config"
      $content -Replace '"(?< =Password=\s*).*?(?=;)"', 'xxxxx' | Out-File "c:\temp\web.config"

      But I get this error:

      The regular expression pattern (?< =Password=\s*).*?(?=;) is not valid. At test-mask.ps1:2 char:1 + $content -Replace "(?< =Password=\s*).*?(?=;)", 'xxxxx' | Out-File " ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: ((?< =Password=\s*).*?(?=;):String) [], RuntimeException + FullyQualifiedErrorId : InvalidRegularExpression

    • #66111
      Profile photo of Olaf Soyk
      Olaf Soyk
      Participant

      Sorry ... my fault ... there is a unwanted white space. The regex pattern should be like in this here:

      $content = Get-Content -path 'c:\temp\web.config'
      $content | Foreach-Object {$_ -Replace '(?< =Password=\s*).*?(?=;)', 'xxxxx' | Out-File -FilePath 'c:\temp\web.config' -Append -Encoding utf8}

      Edit: Oh – it's not my fault. It's the forum. ;-) Just remove the space before the equal sign.

    • #66394
      Profile photo of Alessandro
      Alessandro
      Participant

      Hey Olaf! You, my esteemed colleague, are a wonderful human being. It has worked like a charm!
      I've used a few variations to pick up lots of different scenarios for the possibilities of how the connection string is declared, but until now 100% hit rate. If I could buy you a beer from here in Europe I would! Thanks once again!

  • #66093
    Profile photo of Alessandro
    Alessandro
    Participant

    Hey Olaf – that is great, thanks for your tips – I'll give it a go and let you know!

You must be logged in to reply to this topic.