feat: Redact env secrets from output and logs (#20691)

maaarcelino · web-flow · commit a913f10ea397 · 2025-05-06T11:07:49.000Z
This adds functionality to redact secrets (aka environment variables) in cloud sync environments. This redacts them in the logs and in the output of all the CLI commands.
diff --git a/cli/cmd/logging.go b/cli/cmd/logging.go
@@ -6,6 +6,7 @@ import (
 	"os"
 
 	"github.com/cloudquery/cloudquery/cli/v6/internal/enum"
+	"github.com/cloudquery/cloudquery/cli/v6/internal/secrets"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 )
@@ -48,6 +49,7 @@ func initLogging(noLogFile bool, logLevel *enum.Enum, logFormat *enum.Enum, logC
 		}
 	}
 	mw := io.MultiWriter(writers...)
-	log.Logger = zerolog.New(mw).Level(zerologLevel).With().Str("module", "cli").Str("invocation_id", invocationUUID.String()).Timestamp().Logger()
+	secretAwareWriter := secrets.NewSecretAwareWriter(mw, secretAwareRedactor)
+	log.Logger = zerolog.New(secretAwareWriter).Level(zerologLevel).With().Str("module", "cli").Str("invocation_id", invocationUUID.String()).Timestamp().Logger()
 	return logFile, nil
 }
diff --git a/cli/cmd/root.go b/cli/cmd/root.go
@@ -5,9 +5,10 @@ import (
 	"os"
 	"time"
 
-	analytics "github.com/cloudquery/cloudquery/cli/v6/internal/analytics"
+	"github.com/cloudquery/cloudquery/cli/v6/internal/analytics"
 	"github.com/cloudquery/cloudquery/cli/v6/internal/enum"
 	"github.com/cloudquery/cloudquery/cli/v6/internal/env"
+	"github.com/cloudquery/cloudquery/cli/v6/internal/secrets"
 	"github.com/cloudquery/cloudquery/cli/v6/internal/uuid"
 	guuid "github.com/google/uuid"
 	"github.com/rs/zerolog"
@@ -28,11 +29,12 @@ High performance data integration at scale.
 Find more information at:
 	https://www.cloudquery.io`
 
-	disableSentry      = false
-	logConsole         = false
-	oldAnalyticsClient *AnalyticsClient
-	logFile            *os.File
-	invocationUUID     uuid.UUID
+	disableSentry       = false
+	logConsole          = false
+	oldAnalyticsClient  *AnalyticsClient
+	logFile             *os.File
+	invocationUUID      uuid.UUID
+	secretAwareRedactor *secrets.SecretAwareRedactor
 )
 
 func NewCmdRoot() *cobra.Command {
@@ -47,6 +49,7 @@ func NewCmdRoot() *cobra.Command {
 		fmt.Fprintf(os.Stderr, "failed to generate invocation uuid: %v", err)
 		os.Exit(1)
 	}
+	secretAwareRedactor = secrets.NewSecretAwareRedactor()
 
 	// support legacy telemetry environment variable,
 	// but the newer CQ_TELEMETRY_LEVEL environment variable takes precedence
@@ -109,6 +112,9 @@ func NewCmdRoot() *cobra.Command {
 		},
 	}
 
+	cmd.SetErr(secrets.NewSecretAwareWriter(os.Stderr, secretAwareRedactor))
+	cmd.SetOut(secrets.NewSecretAwareWriter(os.Stdout, secretAwareRedactor))
+
 	cmd.PersistentFlags().String("cq-dir", ".cq", "directory to store cloudquery files, such as downloaded plugins")
 	cmd.PersistentFlags().String("data-dir", "", "set persistent data directory")
 	err = cmd.PersistentFlags().MarkDeprecated("data-dir", "use cq-dir instead")
diff --git a/cli/cmd/sync.go b/cli/cmd/sync.go
@@ -248,6 +248,7 @@ func sync(cmd *cobra.Command, args []string) error {
 		}
 		if isolatePluginEnvironment {
 			cfg.Environment = filterPluginEnv(osEnviron, source.Name, "source")
+			secretAwareRedactor.AddSecretEnv(cfg.Environment)
 		}
 		sourcePluginClient, err := managedplugin.NewClient(ctx, managedplugin.PluginSource, cfg, opts...)
 		if err != nil {
@@ -291,6 +292,7 @@ func sync(cmd *cobra.Command, args []string) error {
 		}
 		if isolatePluginEnvironment {
 			cfg.Environment = filterPluginEnv(osEnviron, destination.Name, "destination")
+			secretAwareRedactor.AddSecretEnv(cfg.Environment)
 		}
 		destPluginClient, err := managedplugin.NewClient(ctx, managedplugin.PluginDestination, cfg, opts...)
 		if err != nil {
diff --git a/cli/cmd/test_connection.go b/cli/cmd/test_connection.go
@@ -188,6 +188,7 @@ func testConnection(cmd *cobra.Command, args []string) error {
 		}
 		if isolatePluginEnvironment {
 			sourcePluginConfigs[i].Environment = filterPluginEnv(osEnviron, source.Name, "source")
+			secretAwareRedactor.AddSecretEnv(sourcePluginConfigs[i].Environment)
 		}
 		sourceRegInferred[i] = source.RegistryInferred()
 	}
@@ -203,6 +204,7 @@ func testConnection(cmd *cobra.Command, args []string) error {
 		}
 		if isolatePluginEnvironment {
 			destinationPluginConfigs[i].Environment = filterPluginEnv(osEnviron, destination.Name, "destination")
+			secretAwareRedactor.AddSecretEnv(destinationPluginConfigs[i].Environment)
 		}
 		destinationRegInferred[i] = destination.RegistryInferred()
 	}
@@ -219,7 +221,7 @@ func testConnection(cmd *cobra.Command, args []string) error {
 			PluginRef:          ref,
 			Success:            false,
 			FailureCode:        "OTHER",
-			FailureDescription: err.Error(),
+			FailureDescription: secretAwareRedactor.RedactStr(err.Error()),
 		})
 	}
 
@@ -350,7 +352,7 @@ func testPluginConnection(ctx context.Context, client plugin.PluginClient, spec
 					return &testConnectionResult{
 						Success:            false,
 						FailureCode:        "OTHER",
-						FailureDescription: err.Error(),
+						FailureDescription: secretAwareRedactor.RedactStr(err.Error()),
 					}, nil
 				}
 
@@ -365,7 +367,7 @@ func testPluginConnection(ctx context.Context, client plugin.PluginClient, spec
 	return &testConnectionResult{
 		Success:            resp.Success,
 		FailureCode:        resp.FailureCode,
-		FailureDescription: resp.FailureDescription,
+		FailureDescription: secretAwareRedactor.RedactStr(resp.FailureDescription),
 	}, nil
 }
 
diff --git a/cli/internal/secrets/secrets.go b/cli/internal/secrets/secrets.go
@@ -0,0 +1,48 @@
+package secrets
+
+import (
+	"bytes"
+	"io"
+	"strings"
+)
+
+type SecretAwareRedactor struct {
+	secrets map[string]string
+}
+
+func NewSecretAwareRedactor() *SecretAwareRedactor {
+	return &SecretAwareRedactor{secrets: make(map[string]string)}
+}
+
+func (s *SecretAwareRedactor) RedactStr(msg string) string {
+	return string(s.RedactBytes([]byte(msg)))
+}
+
+func (s *SecretAwareRedactor) RedactBytes(msg []byte) []byte {
+	for v, k := range s.secrets {
+		msg = bytes.ReplaceAll(msg, []byte(v), []byte(k))
+	}
+	return msg
+}
+
+func (s *SecretAwareRedactor) AddSecretEnv(env []string) {
+	for _, v := range env {
+		parts := strings.SplitN(v, "=", 2)
+		if len(parts) == 2 && len(parts[1]) > 0 {
+			s.secrets[parts[1]] = parts[0]
+		}
+	}
+}
+
+type SecretAwareWriter struct {
+	out      io.Writer
+	redactor *SecretAwareRedactor
+}
+
+func NewSecretAwareWriter(out io.Writer, redactor *SecretAwareRedactor) *SecretAwareWriter {
+	return &SecretAwareWriter{out: out, redactor: redactor}
+}
+
+func (s SecretAwareWriter) Write(p []byte) (n int, err error) {
+	return s.out.Write(s.redactor.RedactBytes(p))
+}
diff --git a/cli/internal/secrets/secrets_test.go b/cli/internal/secrets/secrets_test.go
@@ -0,0 +1,58 @@
+package secrets
+
+import (
+	"bytes"
+	"io"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRedaction(t *testing.T) {
+	tests := []struct {
+		name string
+		msg  string
+		want string
+		env  []string
+	}{
+		{
+			name: "replaces env var value with its name",
+			env:  []string{"DB_PASS=foobar123"},
+			msg:  "wrong password foobar123",
+			want: "wrong password DB_PASS",
+		},
+		{
+			name: "handles env var value with equals sign",
+			env:  []string{"SECRET=user=foo"},
+			msg:  "wrong password for user=foo",
+			want: "wrong password for SECRET",
+		},
+		{
+			name: "leaves original msg unchanged",
+			env:  []string{},
+			msg:  "wrong password foobar123",
+			want: "wrong password foobar123",
+		},
+		{
+			name: "handles env var with empty value",
+			env:  []string{"DB_PASS="},
+			msg:  "wrong password foobar123",
+			want: "wrong password foobar123",
+		},
+	}
+	for _, tt := range tests {
+		redactor := NewSecretAwareRedactor()
+		redactor.AddSecretEnv(tt.env)
+		t.Run(tt.name, func(t *testing.T) {
+			got := redactor.RedactStr(tt.msg)
+			assert.Equal(t, tt.want, got)
+		})
+		t.Run(tt.name+" in log", func(t *testing.T) {
+			out := &bytes.Buffer{}
+			writer := NewSecretAwareWriter(out, redactor)
+			_, _ = writer.Write([]byte(tt.msg))
+			got, _ := io.ReadAll(out)
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ import (`
`6`	`6`	`"os"`
`7`	`7`
`8`	`8`	`"github.com/cloudquery/cloudquery/cli/v6/internal/enum"`
	`9`	`+ "github.com/cloudquery/cloudquery/cli/v6/internal/secrets"`
`9`	`10`	`"github.com/rs/zerolog"`
`10`	`11`	`"github.com/rs/zerolog/log"`
`11`	`12`	`)`
`@@ -48,6 +49,7 @@ func initLogging(noLogFile bool, logLevel enum.Enum, logFormat enum.Enum, logC`
`48`	`49`	`}`
`49`	`50`	`}`
`50`	`51`	`mw := io.MultiWriter(writers...)`
`51`		`- log.Logger = zerolog.New(mw).Level(zerologLevel).With().Str("module", "cli").Str("invocation_id", invocationUUID.String()).Timestamp().Logger()`
	`52`	`+ secretAwareWriter := secrets.NewSecretAwareWriter(mw, secretAwareRedactor)`
	`53`	`+ log.Logger = zerolog.New(secretAwareWriter).Level(zerologLevel).With().Str("module", "cli").Str("invocation_id", invocationUUID.String()).Timestamp().Logger()`
`52`	`54`	`return logFile, nil`
`53`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -248,6 +248,7 @@ func sync(cmd *cobra.Command, args []string) error {`
`248`	`248`	`}`
`249`	`249`	`if isolatePluginEnvironment {`
`250`	`250`	`cfg.Environment = filterPluginEnv(osEnviron, source.Name, "source")`
	`251`	`+ secretAwareRedactor.AddSecretEnv(cfg.Environment)`
`251`	`252`	`}`
`252`	`253`	`sourcePluginClient, err := managedplugin.NewClient(ctx, managedplugin.PluginSource, cfg, opts...)`
`253`	`254`	`if err != nil {`
`@@ -291,6 +292,7 @@ func sync(cmd *cobra.Command, args []string) error {`
`291`	`292`	`}`
`292`	`293`	`if isolatePluginEnvironment {`
`293`	`294`	`cfg.Environment = filterPluginEnv(osEnviron, destination.Name, "destination")`
	`295`	`+ secretAwareRedactor.AddSecretEnv(cfg.Environment)`
`294`	`296`	`}`
`295`	`297`	`destPluginClient, err := managedplugin.NewClient(ctx, managedplugin.PluginDestination, cfg, opts...)`
`296`	`298`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -188,6 +188,7 @@ func testConnection(cmd *cobra.Command, args []string) error {`
`188`	`188`	`}`
`189`	`189`	`if isolatePluginEnvironment {`
`190`	`190`	`sourcePluginConfigs[i].Environment = filterPluginEnv(osEnviron, source.Name, "source")`
	`191`	`+ secretAwareRedactor.AddSecretEnv(sourcePluginConfigs[i].Environment)`
`191`	`192`	`}`
`192`	`193`	`sourceRegInferred[i] = source.RegistryInferred()`
`193`	`194`	`}`
`@@ -203,6 +204,7 @@ func testConnection(cmd *cobra.Command, args []string) error {`
`203`	`204`	`}`
`204`	`205`	`if isolatePluginEnvironment {`
`205`	`206`	`destinationPluginConfigs[i].Environment = filterPluginEnv(osEnviron, destination.Name, "destination")`
	`207`	`+ secretAwareRedactor.AddSecretEnv(destinationPluginConfigs[i].Environment)`
`206`	`208`	`}`
`207`	`209`	`destinationRegInferred[i] = destination.RegistryInferred()`
`208`	`210`	`}`
`@@ -219,7 +221,7 @@ func testConnection(cmd *cobra.Command, args []string) error {`
`219`	`221`	`PluginRef: ref,`
`220`	`222`	`Success: false,`
`221`	`223`	`FailureCode: "OTHER",`
`222`		`- FailureDescription: err.Error(),`
	`224`	`+ FailureDescription: secretAwareRedactor.RedactStr(err.Error()),`
`223`	`225`	`})`
`224`	`226`	`}`
`225`	`227`
`@@ -350,7 +352,7 @@ func testPluginConnection(ctx context.Context, client plugin.PluginClient, spec`
`350`	`352`	`return &testConnectionResult{`
`351`	`353`	`Success: false,`
`352`	`354`	`FailureCode: "OTHER",`
`353`		`- FailureDescription: err.Error(),`
	`355`	`+ FailureDescription: secretAwareRedactor.RedactStr(err.Error()),`
`354`	`356`	`}, nil`
`355`	`357`	`}`
`356`	`358`
`@@ -365,7 +367,7 @@ func testPluginConnection(ctx context.Context, client plugin.PluginClient, spec`
`365`	`367`	`return &testConnectionResult{`
`366`	`368`	`Success: resp.Success,`
`367`	`369`	`FailureCode: resp.FailureCode,`
`368`		`- FailureDescription: resp.FailureDescription,`
	`370`	`+ FailureDescription: secretAwareRedactor.RedactStr(resp.FailureDescription),`
`369`	`371`	`}, nil`
`370`	`372`	`}`
`371`	`373`