Powershell Regex to mask passwords?

Hi Folks,
I’m new to this forum, but have been searching for some advice/answers on something I am trying to implement.

I have files (web.config or connections.config) that contain the database connection strings with the password in clear text.
I need to scrape the files in search of every and any instance of the password and replace with XXXXX for example.

My problem is that there are many ways to define the connection (in the XML web.config file), so instead of trying to use the XML tags, I thought it might be possible to use regex to do what I need?

In short, I would need to find any occurrence of password=gdgdgdgdgdg; or pwd=hhdhdhdhd" or any combination of Password/pwd/Pwd and with spaces before and after the equals signs etc.

So I would search for a string (one example would be: ;password=, then replace everything up to next colon (:wink:
So there would be a lot of strings ( ;password= or ;password = or ;PWD= or ;Pwd = ) etc.
but what I am hoping is possible is that once it finds all and any of the strings, it can replace everything up to the next occurence of a colon?

I was able to test on regex101.com using this:

example ;Password=abcdefg;


That was finding the text after the equals sign and before the next colon in the group2 match

However, I could not figure out how to do that in powershell regex. I could use the -match to find password=, but I couldn’t work out how to make powershell find the string and then the text after the string Before the next colon occurence.

Sorry, if I am not explaining it clearly - I hope someone can give me some advice or sample powershell code to find that string and then replace everything after the string before the colon

Any advice would be really appreciated!

This might explain it a little how to do it in Powershell

’example ;Password=abcdefg;’ -match 'Password=(.?);’
To replace the clear text passwords is a little more complex. You could try it this way:
‘example ;Password= abcdefg;’ -replace "(?<=Password=\s).*?(?=;)",‘WhatEverYouLike’

Hey Olaf - that is great, thanks for your tips - I’ll give it a go and let you know!

Hey Olaf, any chance you could provide a more detailed snippet of code for the line to do the lookup and replace?

I’ve tried a very simple attempt:

$content = Get-Content -path "c:\temp\web.config" $content -Replace '"(?< =Password=\s*).*?(?=;)"', 'xxxxx' | Out-File "c:\temp\web.config"

But I get this error:

The regular expression pattern (?< =Password=\s*).*?(?=;) is not valid. At test-mask.ps1:2 char:1 + $content -Replace "(?< =Password=\s*).*?(?=;)", 'xxxxx' | Out-File " ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: ((?< =Password=\s*).*?(?=;):String) [], RuntimeException + FullyQualifiedErrorId : InvalidRegularExpression

Sorry … my fault … there is a unwanted white space. The regex pattern should be like in this here:

$content = Get-Content -path ‘c:\temp\web.config’
content | Foreach-Object {_ -Replace ‘(?<=Password=\s*).*?(?=;)’, ‘xxxxx’ | Out-File -FilePath ‘c:\temp\web.config’ -Append -Encoding utf8}
Edit: Oh - it’s not my fault. It’s the forum. :wink: Just remove the space before the equal sign.

Hey Olaf! You, my esteemed colleague, are a wonderful human being. It has worked like a charm!
I’ve used a few variations to pick up lots of different scenarios for the possibilities of how the connection string is declared, but until now 100% hit rate. If I could buy you a beer from here in Europe I would! Thanks once again!