Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redact any common secrets from fetch debug logging #553

Merged
merged 2 commits into from
Jan 15, 2025
Merged

Redact any common secrets from fetch debug logging #553

merged 2 commits into from
Jan 15, 2025

Conversation

ecooper
Copy link

@ecooper ecooper commented Jan 6, 2025

Problem

When outputting to stderr with debugging functions, we do a best effort to redact any secrets printed. We do this to avoid users accidentally copying and pasting debug logging with live secrets from their local terminal to GitHub or other places.

The fetch logging wasn't being redacted.

Solution

Use the redactedStringify helper in the fetch wrapper. While we're here:

  • Catch a failure state involving attempting to redact things that aren't strings (this happens mostly in test runs)
  • Shorten the '*' fill to be a max of 8 to obfuscate secret length.

Result

Fetch debug logging will redact anything that we think is a secret:

[fetch]: Received 201 of type basic from POST https://account.fauna.com/api/v1/databases/keys with body:
{
  "secret": "fnAF********a-jF",
  "path": "us-std/demo",
  "name": "System generated shell key",
  "role": "admin",
  "ttl": "2025-01-06T18:09:10.034Z",
  "id": "419354064378134593"
}

Testing

Unit tests were updated for redact.

@ecooper ecooper requested a review from a team as a code owner January 6, 2025 17:58
ptpaterson
ptpaterson approved these changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@ptpaterson ptpaterson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes please. Ran into this wanting to share debug output with new middleware for scoping secrets.

@ecooper ecooper merged commit ca540aa into main Jan 15, 2025
4 checks passed
@ecooper ecooper deleted the fix-redact-fetch branch January 15, 2025 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@echo-bravo-yahoo echo-bravo-yahoo echo-bravo-yahoo approved these changes

@ptpaterson ptpaterson ptpaterson approved these changes

@wildemat wildemat Awaiting requested review from wildemat

@cleve-fauna cleve-fauna Awaiting requested review from cleve-fauna

@henryfauna henryfauna Awaiting requested review from henryfauna

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ecooper @echo-bravo-yahoo @ptpaterson