Log actual flags rather than args+env
This commit is contained in:
Tim Hockin
parent
9318041657
commit
7797e5d0e3
70
main.go
70
main.go
|
|
@ -722,8 +722,7 @@ func main() {
|
||||||
"uid", os.Getuid(),
|
"uid", os.Getuid(),
|
||||||
"gid", os.Getgid(),
|
"gid", os.Getgid(),
|
||||||
"home", os.Getenv("HOME"),
|
"home", os.Getenv("HOME"),
|
||||||
"args", logSafeArgs(os.Args),
|
"flags", logSafeFlags())
|
||||||
"env", logSafeEnv(os.Environ()))
|
|
||||||
|
|
||||||
if _, err := exec.LookPath(*flGitCmd); err != nil {
|
if _, err := exec.LookPath(*flGitCmd); err != nil {
|
||||||
log.Error(err, "ERROR: git executable not found", "git", *flGitCmd)
|
log.Error(err, "ERROR: git executable not found", "git", *flGitCmd)
|
||||||
|
|
@ -1089,61 +1088,30 @@ func redactURL(urlstr string) string {
|
||||||
return u.String()
|
return u.String()
|
||||||
}
|
}
|
||||||
|
|
||||||
// logSafeArgs makes sure any sensitive args (e.g. passwords) are redacted
|
// logSafeFlags makes sure any sensitive args (e.g. passwords) are redacted
|
||||||
// before logging.
|
// before logging. This returns a slice rather than a map so it is always
|
||||||
func logSafeArgs(args []string) []string {
|
// sorted.
|
||||||
ret := make([]string, len(args))
|
func logSafeFlags() []string {
|
||||||
redactWholeArg := false
|
ret := []string{}
|
||||||
readactURLArg := false
|
pflag.VisitAll(func(fl *pflag.Flag) {
|
||||||
for i, arg := range args {
|
arg := fl.Name
|
||||||
if redactWholeArg {
|
val := fl.Value.String()
|
||||||
ret[i] = redactedString
|
|
||||||
redactWholeArg = false
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if readactURLArg {
|
|
||||||
ret[i] = redactURL(arg)
|
|
||||||
readactURLArg = false
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
// Handle --password
|
// Handle --password
|
||||||
if arg == "--password" {
|
if arg == "password" {
|
||||||
redactWholeArg = true
|
val = redactedString
|
||||||
}
|
|
||||||
if strings.HasPrefix(arg, "--password=") {
|
|
||||||
arg = "--password=" + redactedString
|
|
||||||
}
|
}
|
||||||
// Handle password embedded in --repo
|
// Handle password embedded in --repo
|
||||||
if arg == "--repo" {
|
if arg == "repo" {
|
||||||
readactURLArg = true
|
val = redactURL(val)
|
||||||
}
|
}
|
||||||
if strings.HasPrefix(arg, "--repo=") {
|
// Don't log empty values
|
||||||
arg = "--repo=" + redactURL(arg[7:])
|
if val == "" {
|
||||||
|
return
|
||||||
}
|
}
|
||||||
ret[i] = arg
|
|
||||||
}
|
|
||||||
return ret
|
|
||||||
}
|
|
||||||
|
|
||||||
// logSafeEnv makes sure any sensitive env vars (e.g. passwords) are redacted
|
ret = append(ret, "--"+arg+"="+val)
|
||||||
// before logging.
|
})
|
||||||
func logSafeEnv(env []string) []string {
|
|
||||||
ret := make([]string, len(env))
|
|
||||||
for i, ev := range env {
|
|
||||||
if strings.HasPrefix(ev, "GITSYNC_PASSWORD=") {
|
|
||||||
ev = "GITSYNC_PASSWORD=" + redactedString
|
|
||||||
}
|
|
||||||
if strings.HasPrefix(ev, "GIT_SYNC_PASSWORD=") {
|
|
||||||
ev = "GIT_SYNC_PASSWORD=" + redactedString
|
|
||||||
}
|
|
||||||
if strings.HasPrefix(ev, "GITSYNC_REPO=") {
|
|
||||||
ev = "GITSYNC_REPO=" + redactURL(ev[14:])
|
|
||||||
}
|
|
||||||
if strings.HasPrefix(ev, "GIT_SYNC_REPO=") {
|
|
||||||
ev = "GIT_SYNC_REPO=" + redactURL(ev[14:])
|
|
||||||
}
|
|
||||||
ret[i] = ev
|
|
||||||
}
|
|
||||||
return ret
|
return ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue