cmd/tailscale/cli: redact auth keys in FlagSet output (#18563)

Running a command like `tailscale up --auth-key tskey-foo --auth-key tskey-bar` used to print ``` invalid value "tskey-bar" for flag -auth-key: flag provided multiple times ``` but now we print ``` invalid value "tskey-REDACTED" for flag -auth-key: flag provided multiple times ``` Fixes #18562 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
3 months ago · db96e52d6f
parent bcceef3682
commit db96e52d6f
2 changed files with 23 additions and 1 deletions
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@ -14,6 +14,7 @@ import (
 	"io"
 	"log"
 	"os"
+	"regexp"
 	"runtime"
 	"strings"
 	"sync"
@ -294,6 +295,10 @@ change in the future.
 		if w.UsageFunc == nil {
 			w.UsageFunc = usageFunc
 		}
+		if w.FlagSet != nil {
+			// If flags cannot be parsed, redact any keys in the error output .
+			w.FlagSet.SetOutput(sanitizeOutput(w.FlagSet.Output()))
+		}
 		return true
 	})

@ -566,3 +571,20 @@ func fixTailscaledConnectError(origErr error) error {
 	}
 	return origErr
 }
+
+func sanitizeOutput(w io.Writer) io.Writer {
+	return sanitizeWriter{w}
+}
+
+type sanitizeWriter struct {
+	w io.Writer
+}
+
+var reTskey = regexp.MustCompile(`tskey-\w+`)
+
+func (w sanitizeWriter) Write(buf []byte) (int, error) {
+	sanitized := reTskey.ReplaceAll(buf, []byte("tskey-REDACTED"))
+	diff := len(buf) - len(sanitized)
+	n, err := w.w.Write(sanitized)
+	return n - diff, err
+}
--- a/cmd/tailscaled/depaware-minbox.txt
+++ b/cmd/tailscaled/depaware-minbox.txt
@ -428,7 +428,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        path                                                         from io/fs+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
-        regexp                                                       from tailscale.com/clientupdate
+        regexp                                                       from tailscale.com/clientupdate+
        regexp/syntax                                                from regexp
        runtime                                                      from crypto/internal/fips140+
        runtime/debug                                                from github.com/klauspost/compress/zstd+