kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Redact password when logging args

This commit is contained in:
Tim Hockin 2022-07-13 09:17:43 -07:00
parent c62f6cb833
commit 9529c24f6d
1 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
cmd/git-sync/main.go
View File

@ -430,7 +430,7 @@ func main() {
"uid", os.Getuid(), "uid", os.Getuid(),
"gid", os.Getgid(), "gid", os.Getgid(),
"home", os.Getenv("HOME"), "home", os.Getenv("HOME"),
"args", os.Args) "args", logSafeArgs(os.Args))
if _, err := exec.LookPath(*flGitCmd); err != nil { if _, err := exec.LookPath(*flGitCmd); err != nil {
log.Error(err, "ERROR: git executable not found", "git", *flGitCmd) log.Error(err, "ERROR: git executable not found", "git", *flGitCmd)
@ -717,6 +717,30 @@ func main() {
} }
} }
// logSafeArgs makes sure any sensitive args (e.g. passwords) are redacted
// before logging.
func logSafeArgs(args []string) []string {
const redacted = "<REDACTED>"
ret := make([]string, len(args))
redact := false
for i, arg := range args {
if redact {
ret[i] = redacted
redact = false
continue
}
if arg == "--password" {
redact = true
}
if strings.HasPrefix(arg, "--password=") {
arg = "--password=" + redacted
}
ret[i] = arg
}
return ret
}
func normalizePath(path string) (string, error) { func normalizePath(path string) (string, error) {
delinked, err := filepath.EvalSymlinks(path) delinked, err := filepath.EvalSymlinks(path)
if err != nil { if err != nil {