cmd/tailscale/cli: redact auth keys in FlagSet output (#18563)
Running a command like `tailscale up --auth-key tskey-foo --auth-key tskey-bar` used to print ``` invalid value "tskey-bar" for flag -auth-key: flag provided multiple times ``` but now we print ``` invalid value "tskey-REDACTED" for flag -auth-key: flag provided multiple times ``` Fixes #18562 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov
GitHub
@@ -14,6 +14,7 @@ import (
|
|||||||
"io"
|
"io"
|
||||||
"log"
|
"log"
|
||||||
"os"
|
"os"
|
||||||
|
"regexp"
|
||||||
"runtime"
|
"runtime"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
@@ -294,6 +295,10 @@ change in the future.
|
|||||||
if w.UsageFunc == nil {
|
if w.UsageFunc == nil {
|
||||||
w.UsageFunc = usageFunc
|
w.UsageFunc = usageFunc
|
||||||
}
|
}
|
||||||
|
if w.FlagSet != nil {
|
||||||
|
// If flags cannot be parsed, redact any keys in the error output .
|
||||||
|
w.FlagSet.SetOutput(sanitizeOutput(w.FlagSet.Output()))
|
||||||
|
}
|
||||||
return true
|
return true
|
||||||
})
|
})
|
||||||
|
|
||||||
@@ -566,3 +571,20 @@ func fixTailscaledConnectError(origErr error) error {
|
|||||||
}
|
}
|
||||||
return origErr
|
return origErr
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func sanitizeOutput(w io.Writer) io.Writer {
|
||||||
|
return sanitizeWriter{w}
|
||||||
|
}
|
||||||
|
|
||||||
|
type sanitizeWriter struct {
|
||||||
|
w io.Writer
|
||||||
|
}
|
||||||
|
|
||||||
|
var reTskey = regexp.MustCompile(`tskey-\w+`)
|
||||||
|
|
||||||
|
func (w sanitizeWriter) Write(buf []byte) (int, error) {
|
||||||
|
sanitized := reTskey.ReplaceAll(buf, []byte("tskey-REDACTED"))
|
||||||
|
diff := len(buf) - len(sanitized)
|
||||||
|
n, err := w.w.Write(sanitized)
|
||||||
|
return n - diff, err
|
||||||
|
}
|
||||||
|
|||||||
@@ -428,7 +428,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
|
|||||||
path from io/fs+
|
path from io/fs+
|
||||||
path/filepath from crypto/x509+
|
path/filepath from crypto/x509+
|
||||||
reflect from crypto/x509+
|
reflect from crypto/x509+
|
||||||
regexp from tailscale.com/clientupdate
|
regexp from tailscale.com/clientupdate+
|
||||||
regexp/syntax from regexp
|
regexp/syntax from regexp
|
||||||
runtime from crypto/internal/fips140+
|
runtime from crypto/internal/fips140+
|
||||||
runtime/debug from github.com/klauspost/compress/zstd+
|
runtime/debug from github.com/klauspost/compress/zstd+
|
||||||
|
|||||||
Reference in New Issue
Block a user