Skip to content

Commit 3b098e5

Browse files
zoltanszabo-bitrisezoltanszabo-bitrise
committed
feat: log a warning for redacting empty secrets
1 parent 2b5ee42 commit 3b098e5

File tree

2 files changed

+84
-0
lines changed

2 files changed

+84
-0
lines changed

redactwriter/redactwriter.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,11 @@ func New(secrets []string, target io.Writer, logger log.Logger) *Writer {
3333
extendedSecrets := secrets
3434
// adding transformed secrets with escaped newline characters to ensure that these are also obscured if found in logs
3535
for _, secret := range secrets {
36+
// Warn about problematic secret values
37+
if strings.TrimSpace(secret) == "" {
38+
logger.Warnf("Secret value is empty or contains only whitespaces, resulting in unintended redaction!")
39+
}
40+
3641
if strings.Contains(secret, "\n") {
3742
extendedSecrets = append(extendedSecrets, strings.ReplaceAll(secret, "\n", `\n`))
3843
}

redactwriter/redactwriter_test.go

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -558,3 +558,82 @@ line 2`)
558558
require.Equal(t, []byte(nil), chunk)
559559
}
560560
}
561+
562+
func TestNew_EmptyOrWhitespaceSecrets(t *testing.T) {
563+
t.Log("empty string secret triggers warning")
564+
{
565+
var buff bytes.Buffer
566+
mockLogger := new(mocks.Logger)
567+
mockLogger.On("Warnf", "Secret value is empty or contains only whitespaces, resulting in unintended redaction!").Return()
568+
569+
New([]string{""}, &buff, mockLogger)
570+
571+
mockLogger.AssertExpectations(t)
572+
}
573+
574+
t.Log("single space secret triggers warning")
575+
{
576+
var buff bytes.Buffer
577+
mockLogger := new(mocks.Logger)
578+
mockLogger.On("Warnf", "Secret value is empty or contains only whitespaces, resulting in unintended redaction!").Return()
579+
580+
New([]string{" "}, &buff, mockLogger)
581+
582+
mockLogger.AssertExpectations(t)
583+
}
584+
585+
t.Log("multiple spaces secret triggers warning")
586+
{
587+
var buff bytes.Buffer
588+
mockLogger := new(mocks.Logger)
589+
mockLogger.On("Warnf", "Secret value is empty or contains only whitespaces, resulting in unintended redaction!").Return()
590+
591+
New([]string{" "}, &buff, mockLogger)
592+
593+
mockLogger.AssertExpectations(t)
594+
}
595+
596+
t.Log("tab and newline characters secret triggers warning")
597+
{
598+
var buff bytes.Buffer
599+
mockLogger := new(mocks.Logger)
600+
mockLogger.On("Warnf", "Secret value is empty or contains only whitespaces, resulting in unintended redaction!").Return()
601+
602+
New([]string{"\t\n "}, &buff, mockLogger)
603+
604+
mockLogger.AssertExpectations(t)
605+
}
606+
607+
t.Log("multiple empty/whitespace secrets trigger multiple warnings")
608+
{
609+
var buff bytes.Buffer
610+
mockLogger := new(mocks.Logger)
611+
mockLogger.On("Warnf", "Secret value is empty or contains only whitespaces, resulting in unintended redaction!").Return().Times(3)
612+
613+
New([]string{"", " ", " "}, &buff, mockLogger)
614+
615+
mockLogger.AssertExpectations(t)
616+
}
617+
618+
t.Log("normal secret does not trigger warning")
619+
{
620+
var buff bytes.Buffer
621+
mockLogger := new(mocks.Logger)
622+
// No Warnf expectation set - test will fail if Warnf is called
623+
624+
New([]string{"valid_secret"}, &buff, mockLogger)
625+
626+
mockLogger.AssertNotCalled(t, "Warnf")
627+
}
628+
629+
t.Log("mixed valid and invalid secrets trigger warning only for invalid ones")
630+
{
631+
var buff bytes.Buffer
632+
mockLogger := new(mocks.Logger)
633+
mockLogger.On("Warnf", "Secret value is empty or contains only whitespaces, resulting in unintended redaction!").Return().Times(2)
634+
635+
New([]string{"valid_secret", "", "another_valid", " "}, &buff, mockLogger)
636+
637+
mockLogger.AssertExpectations(t)
638+
}
639+
}

0 commit comments

Comments
 (0)