github-actions[bot] commented on code in PR #63228:
URL: https://github.com/apache/doris/pull/63228#discussion_r3361523943
##########
regression-test/pipeline/common/doris-utils.sh:
##########
@@ -662,6 +662,14 @@ _monitor_regression_log() {
}
+_redact_creds() {
+ local expr="" v
+ for v in "${hwYunAk:-}" "${hwYunSk:-}" "${s3SourceAk:-}" "${s3SourceSk:-}"
"${txYunAk:-}" "${txYunSk:-}"; do
+ [[ -n "${v}" ]] && expr+="s/${v}//g;"
Review Comment:
This still leaves a credential leak path for valid secret values that
contain sed syntax. For example, an S3 secret key can contain `/`; with
`s3SourceSk='abc/def'` this builds `s/abc/def//g;`, `sed` fails, and the helper
suppresses the failure with `|| true`, so the logs/configs are copied into the
archive unredacted. Regex metacharacters such as `[` can also make the pattern
invalid or overmatch. Please escape the sed pattern/delimiter for each value,
or use a fixed-string/quoted redaction approach, before suppressing redaction
command failures.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
