util/log: fix redactability of logging tags

[knz]

Fixes #72905.

Some time in the v21.2 cycle, the log entry preparation logic was
refactored and a mistake was introduced: the logging tags were not any
more subject to the redaction logic. The result was that redaction
markers were missing in log tag values, and if a value had contained
unbalanced redaction markers in a value string (say, as part of a SQL
table key), it would have caused log file corruption and possibly a
confidential data leak.

This patch fixes that, by preparing the logging tags in the same way
as the main message for each entry.

Release note (cli change): A bug affecting the redactability of
logging tags in output log entries has been fixed. This bug had
been introduced in the v21.2 release.

[cockroach-teamcity]

This change is 

[knz]

the two bugs:

• redactable values in tags do not get redacted when redact: true is set
• redaction markers are not removed when redactable: false is set

probably a 3rd bug as well: redaction markers inside sensitive values should be escaped. Need to check whether the test catches it.

[abarganier]

Although this is my first time really digging into our logEntry/redaction code, I found the formattableTags API to be readable and straightforward - nice work.

It seems like a test or two is causing issues with the iterator, although I'm unsure if it's just the test or if we truly need to account for the case where bytes.IndexByte returns -1 🤔

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @abarganier and @knz)

---

pkg/util/log/formattable_tags.go, line 79 at r3 (raw file):

	}
	// Advance the cursor to the beginning of the first next value.
	nv := bytes.IndexByte(i.tags, 0)

should we code defensively against a case where bytes.IndexByte() returns -1?

Code quote:

nv := bytes.IndexByte(i.tags, 0)

---

pkg/util/log/formattable_tags.go, line 136 at r3 (raw file):

		if len(val) > 0 {
			if len(key) != 1 {
				w.SafeRune('=')

I'm curious, what does a key with a length of 1 represent/imply?

Code quote:

			if len(key) != 1 {
				w.SafeRune('=')
			}

[knz]

It seems like a test or two is causing issues with the iterator,

it was just a linter error. Fixed.

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @abarganier)

---

pkg/util/log/formattable_tags.go, line 79 at r3 (raw file):

Previously, abarganier (Alex Barganier) wrote…

should we code defensively against a case where bytes.IndexByte() returns -1?

No need - it's an invariant of the formattableTags that there's always a value for every key, possibly empty.

---

pkg/util/log/formattable_tags.go, line 136 at r3 (raw file):

Previously, abarganier (Alex Barganier) wrote…

I'm curious, what does a key with a length of 1 represent/imply?

We skip the = sign for 1-letter keys: we write "n1" in logs, not "n=1".

[knz]

oh the test in TestStoreRangeMergeWithData reveals there may be nul bytes in keys or values. Looking into it now.

[knz]

oh the test in TestStoreRangeMergeWithData reveals there may be nul bytes in keys or values. Looking into it now.

Fixed.

[abarganier]

, thank you for fixing!

Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @abarganier and @knz)

---

pkg/util/log/formattable_tags.go, line 79 at r3 (raw file):

Previously, knz (kena) wrote…

No need - it's an invariant of the formattableTags that there's always a value for every key, possibly empty.

Ack, with the addition of escapeNulBytes it seems like we're good here 👍

---

pkg/util/log/formattable_tags.go, line 136 at r3 (raw file):

Previously, knz (kena) wrote…

We skip the = sign for 1-letter keys: we write "n1" in logs, not "n=1".

Ack.

[knz]

TFYR!

bors r=abarganier

[knz]

blathers backport 21.2

[craig]

Build succeeded:

• GitHub CI (Cockroach)