diff --git a/wifite/util/interface_manager.py b/wifite/util/interface_manager.py index 93f2de870..f637a76fe 100755 --- a/wifite/util/interface_manager.py +++ b/wifite/util/interface_manager.py @@ -1707,10 +1707,19 @@ def get_available_interfaces() -> List[InterfaceInfo]: # Task 11.1: Log interface capabilities log_info('InterfaceManager', f' {interface_name}: {interface_info.get_capability_summary()}') + # Mask MAC address to avoid logging full hardware identifier + masked_mac = interface_info.mac_address + try: + if isinstance(interface_info.mac_address, str) and interface_info.mac_address: + parts = interface_info.mac_address.split(':') + if len(parts) == 6: + masked_mac = ':'.join(parts[:3] + ['**', '**', '**']) + except Exception: + pass log_debug('InterfaceManager', f' {interface_name} details: driver={interface_info.driver}, ' f'chipset={interface_info.chipset}, phy={interface_info.phy}, ' - f'mac={interface_info.mac_address}') + f'mac={masked_mac}') log_debug('InterfaceManager', f' {interface_name} state: mode={interface_info.current_mode}, ' f'up={interface_info.is_up}, connected={interface_info.is_connected}') diff --git a/wifite/util/logger.py b/wifite/util/logger.py index 5ec828ce4..9e1516891 100755 --- a/wifite/util/logger.py +++ b/wifite/util/logger.py @@ -92,11 +92,71 @@ def _should_log(cls, level: int) -> bool: """Check if message should be logged based on level.""" return cls._enabled and level >= cls._log_level + @classmethod + def _sanitize_message(cls, message: str) -> str: + """ + Best-effort sanitization to avoid logging sensitive data in clear text. + + Currently masks: + - Known wpa-sec API key from Configuration.wpasec_api_key + - Command-line API key arguments like "-k " and "--key " + - MAC addresses in standard hex notation (aa:bb:cc:dd:ee:ff) + """ + try: + # Import lazily to avoid circular imports during module initialization + from ..config import Configuration # type: ignore + except Exception: + Configuration = None # type: ignore + + sanitized = message + + # Mask configured wpa-sec API key if present in message + try: + if Configuration is not None and getattr(Configuration, "wpasec_api_key", None): + api_key = Configuration.wpasec_api_key + if isinstance(api_key, str) and api_key: + masked_key = api_key[:4] + "*" * (len(api_key) - 4) if len(api_key) > 4 else "****" + sanitized = sanitized.replace(api_key, masked_key) + except Exception: + # Never let sanitization break logging + pass + + # Mask common CLI key patterns: "-k " and "--key " + try: + import re + + def _mask_cli_key(match): + flag = match.group(1) + return f"{flag} ****" + + sanitized = re.sub(r"(-k)\s+\S+", _mask_cli_key, sanitized) + sanitized = re.sub(r"(--key)\s+\S+", _mask_cli_key, sanitized) + except Exception: + pass + + # Mask MAC addresses: aa:bb:cc:dd:ee:ff -> aa:bb:cc:**:**:** + try: + import re + + def _mask_mac(match): + full = match.group(0) + parts = full.split(":") + if len(parts) == 6: + return ":".join(parts[:3] + ["**", "**", "**"]) + return full + + sanitized = re.sub(r"\b([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}\b", _mask_mac, sanitized) + except Exception: + pass + + return sanitized + @classmethod def _format_message(cls, level: str, module: str, message: str) -> str: """Format log message with timestamp and level.""" timestamp = datetime.now().strftime('%Y-%m-%d %H:%M:%S') - return f"[{timestamp}] [{level:8s}] [{module:20s}] {message}" + safe_message = cls._sanitize_message(message) + return f"[{timestamp}] [{level:8s}] [{module:20s}] {safe_message}" @classmethod def _write_to_file(cls, formatted_message: str): diff --git a/wifite/util/process.py b/wifite/util/process.py index f7a1882f1..d64bb1c8c 100755 --- a/wifite/util/process.py +++ b/wifite/util/process.py @@ -151,7 +151,17 @@ def __init__(self, command, devnull=False, stdout=PIPE, stderr=PIPE, cwd=None, b self._devnull_handles = [] cmd_str = " ".join(command) if isinstance(command, list) else str(command) - log_debug('Process', f'Creating process: {cmd_str}') + # Avoid logging sensitive arguments (e.g. API keys) in clear text + try: + import re + def _mask_cli_key(match): + flag = match.group(1) + return f"{flag} ****" + safe_cmd_str = re.sub(r"(-k)\s+\S+", _mask_cli_key, cmd_str) + safe_cmd_str = re.sub(r"(--key)\s+\S+", _mask_cli_key, safe_cmd_str) + except Exception: + safe_cmd_str = cmd_str + log_debug('Process', f'Creating process: {safe_cmd_str}') if Configuration.verbose > 1: Color.pe(f'\n {{C}}[?] {{W}} Executing: {{B}}{" ".join(command)}{{W}}')