cmd/tailscale/cli: redact auth keys in FlagSet output (#18563)
Running a command like `tailscale up --auth-key tskey-foo --auth-key tskey-bar` used to print ``` invalid value "tskey-bar" for flag -auth-key: flag provided multiple times ``` but now we print ``` invalid value "tskey-REDACTED" for flag -auth-key: flag provided multiple times ``` Fixes #18562 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov
GitHub
@@ -14,6 +14,7 @@ import (
|
||||
"io"
|
||||
"log"
|
||||
"os"
|
||||
"regexp"
|
||||
"runtime"
|
||||
"strings"
|
||||
"sync"
|
||||
@@ -294,6 +295,10 @@ change in the future.
|
||||
if w.UsageFunc == nil {
|
||||
w.UsageFunc = usageFunc
|
||||
}
|
||||
if w.FlagSet != nil {
|
||||
// If flags cannot be parsed, redact any keys in the error output .
|
||||
w.FlagSet.SetOutput(sanitizeOutput(w.FlagSet.Output()))
|
||||
}
|
||||
return true
|
||||
})
|
||||
|
||||
@@ -566,3 +571,20 @@ func fixTailscaledConnectError(origErr error) error {
|
||||
}
|
||||
return origErr
|
||||
}
|
||||
|
||||
func sanitizeOutput(w io.Writer) io.Writer {
|
||||
return sanitizeWriter{w}
|
||||
}
|
||||
|
||||
type sanitizeWriter struct {
|
||||
w io.Writer
|
||||
}
|
||||
|
||||
var reTskey = regexp.MustCompile(`tskey-\w+`)
|
||||
|
||||
func (w sanitizeWriter) Write(buf []byte) (int, error) {
|
||||
sanitized := reTskey.ReplaceAll(buf, []byte("tskey-REDACTED"))
|
||||
diff := len(buf) - len(sanitized)
|
||||
n, err := w.w.Write(sanitized)
|
||||
return n - diff, err
|
||||
}
|
||||
|
||||
@@ -428,7 +428,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
|
||||
path from io/fs+
|
||||
path/filepath from crypto/x509+
|
||||
reflect from crypto/x509+
|
||||
regexp from tailscale.com/clientupdate
|
||||
regexp from tailscale.com/clientupdate+
|
||||
regexp/syntax from regexp
|
||||
runtime from crypto/internal/fips140+
|
||||
runtime/debug from github.com/klauspost/compress/zstd+
|
||||
|
||||
Reference in New Issue
Block a user