From 65fd2adf563c976deb65d20018f1a6b46e6b5fe7 Mon Sep 17 00:00:00 2001 From: Ti Chi Robot Date: Thu, 12 Dec 2024 18:11:42 +0800 Subject: [PATCH] br: redact secret strings when logging arguments (#57593) (#57604) close pingcap/tidb#57585 --- br/pkg/task/common.go | 8 ++++-- br/pkg/task/common_test.go | 55 +++++++++++++++++++++++++++++++++----- 2 files changed, 55 insertions(+), 8 deletions(-) diff --git a/br/pkg/task/common.go b/br/pkg/task/common.go index 343f1c0e84b16..c2432bcbaf042 100644 --- a/br/pkg/task/common.go +++ b/br/pkg/task/common.go @@ -732,7 +732,8 @@ func ReadBackupMeta( // flagToZapField checks whether this flag can be logged, // if need to log, return its zap field. Or return a field with hidden value. func flagToZapField(f *pflag.Flag) zap.Field { - if f.Name == flagStorage { + switch f.Name { + case flagStorage, FlagStreamFullBackupStorage: hiddenQuery, err := url.Parse(f.Value.String()) if err != nil { return zap.String(f.Name, "") @@ -740,8 +741,11 @@ func flagToZapField(f *pflag.Flag) zap.Field { // hide all query here. hiddenQuery.RawQuery = "" return zap.Stringer(f.Name, hiddenQuery) + case flagCipherKey, "azblob.encryption-key": + return zap.String(f.Name, "") + default: + return zap.Stringer(f.Name, f.Value) } - return zap.Stringer(f.Name, f.Value) } // LogArguments prints origin command arguments. diff --git a/br/pkg/task/common_test.go b/br/pkg/task/common_test.go index c942b96bc531e..79bd235fe1b45 100644 --- a/br/pkg/task/common_test.go +++ b/br/pkg/task/common_test.go @@ -33,13 +33,56 @@ func (f fakeValue) Type() string { } func TestUrlNoQuery(t *testing.T) { - flag := &pflag.Flag{ - Name: flagStorage, - Value: fakeValue("s3://some/what?secret=a123456789&key=987654321"), + testCases := []struct { + inputName string + expectedName string + inputValue string + expectedValue string + }{ + { + inputName: flagSendCreds, + expectedName: "send-credentials-to-tikv", + inputValue: "true", + expectedValue: "true", + }, + { + inputName: flagStorage, + expectedName: "storage", + inputValue: "s3://some/what?secret=a123456789&key=987654321", + expectedValue: "s3://some/what", + }, + { + inputName: FlagStreamFullBackupStorage, + expectedName: "full-backup-storage", + inputValue: "s3://bucket/prefix/?access-key=1&secret-key=2", + expectedValue: "s3://bucket/prefix/", + }, + { + inputName: flagCipherKey, + expectedName: "crypter.key", + inputValue: "537570657253656372657456616C7565", + expectedValue: "", + }, + { + inputName: "azblob.encryption-key", + expectedName: "azblob.encryption-key", + inputValue: "SUPERSECRET_AZURE_ENCRYPTION_KEY", + expectedValue: "", + }, + } + + for _, tc := range testCases { + flag := pflag.Flag{ + Name: tc.inputName, + Value: fakeValue(tc.inputValue), + } + field := flagToZapField(&flag) + require.Equal(t, tc.expectedName, field.Key, `test-case [%s="%s"]`, tc.expectedName, tc.expectedValue) + if stringer, ok := field.Interface.(fmt.Stringer); ok { + field.String = stringer.String() + } + require.Equal(t, tc.expectedValue, field.String, `test-case [%s="%s"]`, tc.expectedName, tc.expectedValue) } - field := flagToZapField(flag) - require.Equal(t, flagStorage, field.Key) - require.Equal(t, "s3://some/what", field.Interface.(fmt.Stringer).String()) } func TestTiDBConfigUnchanged(t *testing.T) {