From db96e52d6f82e594f93eb44431a1b7fc732299be Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <awly@tailscale.com>
Date: Fri, 30 Jan 2026 09:00:46 -0800
Subject: [PATCH] cmd/tailscale/cli: redact auth keys in FlagSet output
 (#18563)

Running a command like `tailscale up --auth-key tskey-foo --auth-key tskey-bar` used to print

```
invalid value "tskey-bar" for flag -auth-key: flag provided multiple times
```

but now we print

```
invalid value "tskey-REDACTED" for flag -auth-key: flag provided multiple times
```

Fixes #18562

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
---
 cmd/tailscale/cli/cli.go           | 22 ++++++++++++++++++++++
 cmd/tailscaled/depaware-minbox.txt |  2 +-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/cmd/tailscale/cli/cli.go b/cmd/tailscale/cli/cli.go
index 4d16cfe69..b8ac76874 100644
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -14,6 +14,7 @@ import (
 	"io"
 	"log"
 	"os"
+	"regexp"
 	"runtime"
 	"strings"
 	"sync"
@@ -294,6 +295,10 @@ change in the future.
 		if w.UsageFunc == nil {
 			w.UsageFunc = usageFunc
 		}
+		if w.FlagSet != nil {
+			// If flags cannot be parsed, redact any keys in the error output .
+			w.FlagSet.SetOutput(sanitizeOutput(w.FlagSet.Output()))
+		}
 		return true
 	})
 
@@ -566,3 +571,20 @@ func fixTailscaledConnectError(origErr error) error {
 	}
 	return origErr
 }
+
+func sanitizeOutput(w io.Writer) io.Writer {
+	return sanitizeWriter{w}
+}
+
+type sanitizeWriter struct {
+	w io.Writer
+}
+
+var reTskey = regexp.MustCompile(`tskey-\w+`)
+
+func (w sanitizeWriter) Write(buf []byte) (int, error) {
+	sanitized := reTskey.ReplaceAll(buf, []byte("tskey-REDACTED"))
+	diff := len(buf) - len(sanitized)
+	n, err := w.w.Write(sanitized)
+	return n - diff, err
+}
diff --git a/cmd/tailscaled/depaware-minbox.txt b/cmd/tailscaled/depaware-minbox.txt
index 083db4c5a..5121b56d0 100644
--- a/cmd/tailscaled/depaware-minbox.txt
+++ b/cmd/tailscaled/depaware-minbox.txt
@@ -428,7 +428,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         path                                                         from io/fs+
         path/filepath                                                from crypto/x509+
         reflect                                                      from crypto/x509+
-        regexp                                                       from tailscale.com/clientupdate
+        regexp                                                       from tailscale.com/clientupdate+
         regexp/syntax                                                from regexp
         runtime                                                      from crypto/internal/fips140+
         runtime/debug                                                from github.com/klauspost/compress/zstd+