Skip to content
This repository was archived by the owner on Mar 16, 2024. It is now read-only.

Redact sensitive info before logging build messages #2003

Merged
merged 1 commit into from
Aug 2, 2023
Merged

Redact sensitive info before logging build messages #2003

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions pkg/buildclient/messages.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,7 @@ func (m *WebsocketMessages) run(ctx context.Context) error {
if err := m.conn.ReadJSON(msg); err != nil {
return err
}
logrus.Tracef("Read build message %s", msg)
logrus.Tracef("Read build message %s", redact(msg))
if m.handler != nil {
if err := m.handler(msg); err != nil {
return err
Expand Down Expand Up @@ -229,8 +229,26 @@ func (m *WebsocketMessages) Recv() (<-chan *Message, func()) {
}

func (m *WebsocketMessages) Send(msg *Message) error {
logrus.Tracef("Send build message %s", msg)
logrus.Tracef("Send build message %s", redact(msg))
Copy link
Member Author

@njhale njhale Aug 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could probably be achieved through a custom logrus formatter as well, but I think this is concise and works well enough.

Copy link
Contributor

@tylerslaton tylerslaton Aug 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, no need to right now unless you can think of other places that need redactions.

m.lock.Lock()
defer m.lock.Unlock()
return m.conn.WriteJSON(msg)
}

// redact returns a Message with all sensitive information redacted.
// Use this to prep a Message for logging.
func redact(msg *Message) *Message {
if msg == nil {
return nil
}

redacted := *msg
if redacted.RegistryAuth != nil {
redacted.RegistryAuth = &apiv1.RegistryAuth{
Username: "REDACTED",
Password: "REDACTED",
}
}

return &redacted
}