Moved the password option lookup into a shared place so the same logic can be used from multiple places when guarding password output.

Duplicati/Library/Main/Options.cs

@@ -25,6 +25,7 @@ using System.Collections.Generic;
 using Duplicati.Library.Interface;
 using Duplicati.Library.Utility;
 using System.Globalization;
+using Duplicati.Library.DynamicLoader;
 
 namespace Duplicati.Library.Main
 {
@@ -34,6 +35,21 @@ namespace Duplicati.Library.Main
     /// </summary>
     public class Options
     {
+        /// <summary>
+        /// A set of options that are considered to be password-like
+        /// </summary>
+        public static IReadOnlySet<string> AllPasswordOptions { get; } =
+            BackendLoader.Backends.SelectMany(x => x.SupportedCommands ?? [])
+                .Concat(EncryptionLoader.Modules.SelectMany(x => x.SupportedCommands ?? []))
+                .Concat(CompressionLoader.Modules.SelectMany(x => x.SupportedCommands ?? []))
+                .Concat(GenericLoader.Modules.SelectMany(x => x.SupportedCommands ?? []))
+                .Concat(WebLoader.Modules.SelectMany(x => x.SupportedCommands ?? []))
+                .Concat(new Options(new Dictionary<string, string>()).SupportedCommands)
+                .Where(x => x.Type == CommandLineArgument.ArgumentType.Password)
+                .SelectMany(x => new string[] { x.Name }.Concat(x.Aliases ?? []))
+                .SelectMany(x => new string[] { x, $"--{x}" })
+                .ToHashSet(StringComparer.OrdinalIgnoreCase);
+
         private const string DEFAULT_BLOCK_HASH_ALGORITHM = "SHA256";
         private const string DEFAULT_FILE_HASH_ALGORITHM = "SHA256";
 

Duplicati/Library/RestAPI/Database/Backup.cs

@@ -24,28 +24,12 @@ using Duplicati.Server.Serialization.Interface;
 using System.Collections.Generic;
 using System.Collections.Specialized;
 using System.Linq;
+using Duplicati.Library.Main;
 
 namespace Duplicati.Server.Database
 {
     public class Backup : IBackup
     {
-        // Sensitive information that may be stored in TargetUrl
-        private readonly string[] UrlPasswords = {
-            "authid",
-            "auth-password",
-            "sia-password",
-            "storj-secret",
-            "storj-shared-access",
-        };
-
-        // Sensitive information that may be stored in Settings
-        private readonly string[] SettingPasswords = {
-            "passphrase",
-            "--authid",
-            "--send-mail-password",
-            "--send-xmpp-password",
-        };
-
         public Backup()
         {
             this.ID = null;
@@ -135,10 +119,8 @@ namespace Duplicati.Server.Database
                 // breaks assumptions made by the decode_uri function in AppUtils.js. Since we are simply
                 // removing password parameters, we will leave the parameters as they are in the target URL.
                 filteredParameters = Library.Utility.Uri.ParseQueryString(url.Query, false);
-                foreach (string field in this.UrlPasswords)
-                {
-                    filteredParameters.Remove(field);
-                }
+                foreach (var key in filteredParameters.AllKeys.Where(x => Options.AllPasswordOptions.Contains(x)).ToList())
+                    filteredParameters.Remove(key);
             }
             url = url.SetQuery(Duplicati.Library.Utility.Uri.BuildUriQuery(filteredParameters));
             this.TargetURL = url.ToString();
@@ -149,7 +131,7 @@ namespace Duplicati.Server.Database
         /// </summary>
         public void SanitizeSettings()
         {
-            this.Settings = this.Settings.Where((setting) => !SettingPasswords.Contains(setting.Name)).ToArray();
+            this.Settings = this.Settings.Where((setting) => !Options.AllPasswordOptions.Contains(setting.Name)).ToArray();
         }
     }
 }

Duplicati/Library/RestAPI/Database/Connection.cs

@@ -26,7 +26,6 @@ using Duplicati.Server.Serialization.Interface;
 using System.Text;
 using Duplicati.Library.RestAPI;
 using Duplicati.Library.Encryption;
-using Duplicati.Library.DynamicLoader;
 using Duplicati.Library.Main;
 
 namespace Duplicati.Server.Database
@@ -40,20 +39,12 @@ namespace Duplicati.Server.Database
         public const int SERVER_SETTINGS_ID = -2;
         private readonly Dictionary<string, Backup> m_temporaryBackups = new Dictionary<string, Backup>();
         private readonly bool m_encryptSensitiveFields;
-        private static readonly HashSet<string> _encryptedFields =
-            BackendLoader.Backends.SelectMany(x => x.SupportedCommands ?? [])
-                .Concat(EncryptionLoader.Modules.SelectMany(x => x.SupportedCommands ?? []))
-                .Concat(CompressionLoader.Modules.SelectMany(x => x.SupportedCommands ?? []))
-                .Concat(GenericLoader.Modules.SelectMany(x => x.SupportedCommands ?? []))
-                .Concat(WebLoader.Modules.SelectMany(x => x.SupportedCommands ?? []))
-                .Concat(new Options(new Dictionary<string, string>()).SupportedCommands)
-                .Where(x => x.Type == Duplicati.Library.Interface.CommandLineArgument.ArgumentType.Password)
-                .SelectMany(x => new string[] { x.Name }.Concat(x.Aliases ?? []))
-                .SelectMany(x => new string[] { x, $"--{x}" })
-                .Concat([
-                    ServerSettings.CONST.JWT_CONFIG,
-                    ServerSettings.CONST.PBKDF_CONFIG
-                ])
+        private static readonly IReadOnlySet<string> _encryptedFields =
+            Options.AllPasswordOptions
+            .Concat([
+                ServerSettings.CONST.JWT_CONFIG,
+                ServerSettings.CONST.PBKDF_CONFIG
+            ])
             .ToHashSet(StringComparer.OrdinalIgnoreCase);
 
         public Connection(System.Data.IDbConnection connection, bool disableFieldEncryption)