fix(security): sanitize json.Unmarshal errors to prevent secret data …#5884
Merged
fix(security): sanitize json.Unmarshal errors to prevent secret data …#5884
Conversation
WalkthroughReplaces direct Changes
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
4569152 to
5035f39
Compare
…leakage
When json.Unmarshal fails, Go includes the problematic value in the error
message. These errors were propagated to PushSecret status conditions,
exposing sensitive data via the Kubernetes API.
Example: A secret containing a numeric value like an API key or token ID:
Secret data: {"key": 8019210420527506405}
When unmarshalled into map[string]any, this produces:
"json: cannot unmarshal number 8019210420527506405 into Go value of type float64"
This error was stored in PushSecret.Status.Conditions[].Message, making
the secret value readable by anyone with get permissions on PushSecrets.
Fixed by returning sanitized error messages that don't include the
original json.Unmarshal error details.
Affected providers: vault, akeyless, scaleway, kubernetes, secretserver,
volcengine
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
…ssages Add tests to ensure json.Unmarshal errors don't leak sensitive secret data in error messages. Tests cover both code paths in PushSecret: - Unmarshalling incoming secret value for comparison - Unmarshalling the value to push Also adds a security regression check in the test loop that explicitly verifies error messages don't contain the secret data. Co-Authored-By: Claude <noreply@anthropic.com>
…r messages Add test to ensure json.Unmarshal errors in GetSecretMap don't leak sensitive secret data in error messages. The test verifies that when unmarshalling fails, the error message is sanitized to "failed to unmarshal secret: invalid JSON format" and doesn't contain the actual secret value. Co-Authored-By: Claude <noreply@anthropic.com>
fb49ade to
fd63d84
Compare
|
Skarlso
approved these changes
Jan 28, 2026
nutmos
pushed a commit
to nutmos/external-secrets
that referenced
this pull request
Feb 11, 2026
external-secrets#5884) * fix(security): sanitize json.Unmarshal errors to prevent secret data leakage When json.Unmarshal fails, Go includes the problematic value in the error message. These errors were propagated to PushSecret status conditions, exposing sensitive data via the Kubernetes API. Example: A secret containing a numeric value like an API key or token ID: Secret data: {"key": 8019210420527506405} When unmarshalled into map[string]any, this produces: "json: cannot unmarshal number 8019210420527506405 into Go value of type float64" This error was stored in PushSecret.Status.Conditions[].Message, making the secret value readable by anyone with get permissions on PushSecrets. Fixed by returning sanitized error messages that don't include the original json.Unmarshal error details. Affected providers: vault, akeyless, scaleway, kubernetes, secretserver, volcengine Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * test(vault): add regression tests for secret data leakage in error messages Add tests to ensure json.Unmarshal errors don't leak sensitive secret data in error messages. Tests cover both code paths in PushSecret: - Unmarshalling incoming secret value for comparison - Unmarshalling the value to push Also adds a security regression check in the test loop that explicitly verifies error messages don't contain the secret data. Co-Authored-By: Claude <noreply@anthropic.com> * test(kubernetes): add regression test for secret data leakage in error messages Add test to ensure json.Unmarshal errors in GetSecretMap don't leak sensitive secret data in error messages. The test verifies that when unmarshalling fails, the error message is sanitized to "failed to unmarshal secret: invalid JSON format" and doesn't contain the actual secret value. Co-Authored-By: Claude <noreply@anthropic.com> --------- Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Claude <noreply@anthropic.com> Signed-off-by: Nattapong Ekudomsuk <nuttapong_mos@hotmail.com>
nutmos
pushed a commit
to nutmos/external-secrets
that referenced
this pull request
Feb 18, 2026
external-secrets#5884) * fix(security): sanitize json.Unmarshal errors to prevent secret data leakage When json.Unmarshal fails, Go includes the problematic value in the error message. These errors were propagated to PushSecret status conditions, exposing sensitive data via the Kubernetes API. Example: A secret containing a numeric value like an API key or token ID: Secret data: {"key": 8019210420527506405} When unmarshalled into map[string]any, this produces: "json: cannot unmarshal number 8019210420527506405 into Go value of type float64" This error was stored in PushSecret.Status.Conditions[].Message, making the secret value readable by anyone with get permissions on PushSecrets. Fixed by returning sanitized error messages that don't include the original json.Unmarshal error details. Affected providers: vault, akeyless, scaleway, kubernetes, secretserver, volcengine Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * test(vault): add regression tests for secret data leakage in error messages Add tests to ensure json.Unmarshal errors don't leak sensitive secret data in error messages. Tests cover both code paths in PushSecret: - Unmarshalling incoming secret value for comparison - Unmarshalling the value to push Also adds a security regression check in the test loop that explicitly verifies error messages don't contain the secret data. Co-Authored-By: Claude <noreply@anthropic.com> * test(kubernetes): add regression test for secret data leakage in error messages Add test to ensure json.Unmarshal errors in GetSecretMap don't leak sensitive secret data in error messages. The test verifies that when unmarshalling fails, the error message is sanitized to "failed to unmarshal secret: invalid JSON format" and doesn't contain the actual secret value. Co-Authored-By: Claude <noreply@anthropic.com> --------- Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Claude <noreply@anthropic.com> Signed-off-by: Nattapong Ekudomsuk <nuttapong_mos@hotmail.com>
radermacher-iits
pushed a commit
to kubara-io/kubara
that referenced
this pull request
Feb 19, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.2.1` → `1.3.2` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v1.3.2`](https://github.com/external-secrets/external-secrets/releases/tag/v1.3.2) [Compare Source](external-secrets/external-secrets@v1.3.1...v1.3.2) Image: `ghcr.io/external-secrets/external-secrets:v1.3.2` Image: `ghcr.io/external-secrets/external-secrets:v1.3.2-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.3.2-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### General - chore: release helm chart for v1.3.1 by [@​Skarlso](https://github.com/Skarlso) in [#​5860](external-secrets/external-secrets#5860) - chore(chart): Add missing tests for readinessProbe by [@​jcpunk](https://github.com/jcpunk) in [#​5769](external-secrets/external-secrets#5769) - docs: Update FluxCD example by [@​umizoom](https://github.com/umizoom) in [#​5862](external-secrets/external-secrets#5862) - fix(ci): Removed the unused check for Windows in Makefile by [@​HauptJ](https://github.com/HauptJ) in [#​5870](external-secrets/external-secrets#5870) - docs(release): Add actual dates for EOL of 1.x releases in stability and support page by [@​n4zukker](https://github.com/n4zukker) in [#​5889](external-secrets/external-secrets#5889) - docs: Passbolt provider maintenance ownership by [@​stripthis](https://github.com/stripthis) in [#​5886](external-secrets/external-secrets#5886) - chore: Update Passbolt MaintenanceStatus to MaintenanceStatusMaintained by [@​stripthis](https://github.com/stripthis) in [#​5887](external-secrets/external-secrets#5887) - fix(security): sanitize json.Unmarshal errors to prevent secret data … by [@​moolen](https://github.com/moolen) in [#​5884](external-secrets/external-secrets#5884) - fix: webhook initialization order by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5901](external-secrets/external-secrets#5901) - chore: Cleanup flags by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​5845](external-secrets/external-secrets#5845) - fix: onepasswordsdk shared tenant by altering the provider in the client cache by [@​Skarlso](https://github.com/Skarlso) in [#​5921](external-secrets/external-secrets#5921) ##### Dependencies - chore(deps): bump github/codeql-action from 4.31.10 to 4.31.11 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5873](external-secrets/external-secrets#5873) - chore(deps): bump pymdown-extensions from 10.20 to 10.20.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5877](external-secrets/external-secrets#5877) - chore(deps): bump markdown from 3.10 to 3.10.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5880](external-secrets/external-secrets#5880) - chore(deps): bump ubi9/ubi from `22e9573` to `1f84f5c` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5871](external-secrets/external-secrets#5871) - chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5872](external-secrets/external-secrets#5872) - chore(deps): bump hashicorp/setup-terraform from [`93d5a27`](external-secrets/external-secrets@93d5a27) to [`dcc3150`](external-secrets/external-secrets@dcc3150) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5875](external-secrets/external-secrets#5875) - chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5876](external-secrets/external-secrets#5876) - chore(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5878](external-secrets/external-secrets#5878) - chore(deps): bump anchore/sbom-action from 0.21.1 to 0.22.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5874](external-secrets/external-secrets#5874) - chore(deps): bump packaging from 25.0 to 26.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5879](external-secrets/external-secrets#5879) - chore(deps): bump golang from `d9b2e14` to `98e6cff` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5907](external-secrets/external-secrets#5907) - chore(deps): bump alpine from `865b95f` to `2510918` in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5914](external-secrets/external-secrets#5914) - chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5909](external-secrets/external-secrets#5909) - chore(deps): bump actions/cache from 5.0.2 to 5.0.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5912](external-secrets/external-secrets#5912) - chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5910](external-secrets/external-secrets#5910) - chore(deps): bump hashicorp/setup-terraform from [`dcc3150`](external-secrets/external-secrets@dcc3150) to [`ce70bcf`](external-secrets/external-secrets@ce70bcf) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5911](external-secrets/external-secrets#5911) - chore(deps): bump ubi9/ubi from `1f84f5c` to `c8df11b` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5908](external-secrets/external-secrets#5908) - chore(deps): bump alpine from 3.23.2 to 3.23.3 in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5915](external-secrets/external-secrets#5915) - chore(deps): bump alpine from `865b95f` to `2510918` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5906](external-secrets/external-secrets#5906) - chore(deps): bump pathspec from 1.0.3 to 1.0.4 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5916](external-secrets/external-secrets#5916) - chore(deps): bump babel from 2.17.0 to 2.18.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5917](external-secrets/external-secrets#5917) - chore(deps): bump github/codeql-action from 4.31.11 to 4.32.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5913](external-secrets/external-secrets#5913) #### New Contributors - [@​umizoom](https://github.com/umizoom) made their first contribution in [#​5862](external-secrets/external-secrets#5862) - [@​HauptJ](https://github.com/HauptJ) made their first contribution in [#​5870](external-secrets/external-secrets#5870) - [@​n4zukker](https://github.com/n4zukker) made their first contribution in [#​5889](external-secrets/external-secrets#5889) - [@​stripthis](https://github.com/stripthis) made their first contribution in [#​5886](external-secrets/external-secrets#5886) **Full Changelog**: <external-secrets/external-secrets@v1.3.1...v1.3.2> ### [`v1.3.1`](https://github.com/external-secrets/external-secrets/releases/tag/v1.3.1) [Compare Source](external-secrets/external-secrets@v1.2.1...v1.3.1) Image: `ghcr.io/external-secrets/external-secrets:v1.3.1` Image: `ghcr.io/external-secrets/external-secrets:v1.3.1-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.3.1-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> For a Full release please referre to <https://github.com/external-secrets/external-secrets/releases/tag/v1.3.0>. This is a fix build for the docker publish flow. #### What's Changed ##### General - fix: ignore the in-toto manifest when promoting the docker build by [@​Skarlso](https://github.com/Skarlso) in [#​5859](external-secrets/external-secrets#5859) **Full Changelog**: <external-secrets/external-secrets@v1.3.0...v1.3.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuNSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119--> Reviewed-on: https://kubara.git.onstackit.cloud/STACKIT/kubara/pulls/250
5 tasks
dsp0x4
pushed a commit
to dsp0x4/external-secrets
that referenced
this pull request
Mar 22, 2026
external-secrets#5884) * fix(security): sanitize json.Unmarshal errors to prevent secret data leakage When json.Unmarshal fails, Go includes the problematic value in the error message. These errors were propagated to PushSecret status conditions, exposing sensitive data via the Kubernetes API. Example: A secret containing a numeric value like an API key or token ID: Secret data: {"key": 8019210420527506405} When unmarshalled into map[string]any, this produces: "json: cannot unmarshal number 8019210420527506405 into Go value of type float64" This error was stored in PushSecret.Status.Conditions[].Message, making the secret value readable by anyone with get permissions on PushSecrets. Fixed by returning sanitized error messages that don't include the original json.Unmarshal error details. Affected providers: vault, akeyless, scaleway, kubernetes, secretserver, volcengine Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * test(vault): add regression tests for secret data leakage in error messages Add tests to ensure json.Unmarshal errors don't leak sensitive secret data in error messages. Tests cover both code paths in PushSecret: - Unmarshalling incoming secret value for comparison - Unmarshalling the value to push Also adds a security regression check in the test loop that explicitly verifies error messages don't contain the secret data. Co-Authored-By: Claude <noreply@anthropic.com> * test(kubernetes): add regression test for secret data leakage in error messages Add test to ensure json.Unmarshal errors in GetSecretMap don't leak sensitive secret data in error messages. The test verifies that when unmarshalling fails, the error message is sanitized to "failed to unmarshal secret: invalid JSON format" and doesn't contain the actual secret value. Co-Authored-By: Claude <noreply@anthropic.com> --------- Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
prompt:
sanitize
json.Unmarshalerrors to prevent secret data leakage.When json.Unmarshal fails, Go includes the problematic value in the error message. These errors were propagated to PushSecret status conditions, exposing sensitive data via the Kubernetes API.
Example: A secret containing a numeric value like an API key or token ID:
Secret data: {"key": 1231231231213132}
When unmarshalled into map[string]any, this produces:
"json: cannot unmarshal number 1231231231213132 into Go value of type float64"
This error was stored in PushSecret.Status.Conditions[].Message, making the secret value readable by anyone with get permissions on PushSecrets.
Fixed by returning sanitized error messages that don't include the original json.Unmarshal error details.
Affected providers: vault, akeyless, scaleway, kubernetes, secretserver, volcengine
Problem Statement
What is the problem you're trying to solve?
Related Issue
Fixes #...
Proposed Changes
How do you like to solve the issue and why?
Format
Please ensure that your PR follows the following format for the title:
Where
scopeis optionally one of:Checklist
git commit --signoffmake testmake reviewableThis security fix sanitizes error messages from json.Unmarshal operations across six providers (vault, akeyless, scaleway, kubernetes, secretserver, volcengine) to prevent accidental exposure of secret values in Kubernetes API status conditions.
Changes:
Tests: