(apisix-ingress-controller) branch v2.0.0 updated: fix: should not contain plaintext token in log message. (#2462)

Mon, 07 Jul 2025 02:37:38 -0700 

This is an automated email from the ASF dual-hosted git repository.

alinsran pushed a commit to branch v2.0.0
in repository https://gitbox.apache.org/repos/asf/apisix-ingress-controller.git


The following commit(s) were added to refs/heads/v2.0.0 by this push:
     new 6c5847c0 fix: should not contain plaintext token in log message. 
(#2462)
6c5847c0 is described below

commit 6c5847c05d35c75ac691e587838061dc74089295
Author: Ashing Zheng <axing...@gmail.com>
AuthorDate: Mon Jul 7 17:30:46 2025 +0800

    fix: should not contain plaintext token in log message. (#2462)
    
    Signed-off-by: ashing <axing...@gmail.com>
---
 internal/provider/adc/adc.go      | 14 ++++++++++++++
 internal/provider/adc/executor.go | 15 ++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/internal/provider/adc/adc.go b/internal/provider/adc/adc.go
index a25a39e8..baed0d7f 100644
--- a/internal/provider/adc/adc.go
+++ b/internal/provider/adc/adc.go
@@ -51,6 +51,20 @@ type adcConfig struct {
        TlsVerify   bool
 }
 
+// MarshalJSON implements custom JSON marshaling for adcConfig
+// It excludes the Token field for security reasons
+func (c adcConfig) MarshalJSON() ([]byte, error) {
+       return json.Marshal(struct {
+               Name        string   `json:"name"`
+               ServerAddrs []string `json:"serverAddrs"`
+               TlsVerify   bool     `json:"tlsVerify"`
+       }{
+               Name:        c.Name,
+               ServerAddrs: c.ServerAddrs,
+               TlsVerify:   c.TlsVerify,
+       })
+}
+
 type BackendMode string
 
 const (
diff --git a/internal/provider/adc/executor.go 
b/internal/provider/adc/executor.go
index 77414be7..5377018d 100644
--- a/internal/provider/adc/executor.go
+++ b/internal/provider/adc/executor.go
@@ -100,7 +100,7 @@ func (e *DefaultADCExecutor) runForSingleServer(ctx 
context.Context, serverAddr,
 
        log.Debugw("running adc command",
                zap.String("command", strings.Join(cmd.Args, " ")),
-               zap.Strings("env", env),
+               zap.Strings("env", filterSensitiveEnv(env)),
        )
 
        if err := cmd.Run(); err != nil {
@@ -138,6 +138,19 @@ func (e *DefaultADCExecutor) prepareEnv(serverAddr, mode, 
token string) []string
        }
 }
 
+// filterSensitiveEnv filters out sensitive information from environment 
variables for logging
+func filterSensitiveEnv(env []string) []string {
+       filtered := make([]string, 0, len(env))
+       for _, envVar := range env {
+               if strings.Contains(envVar, "ADC_TOKEN=") {
+                       filtered = append(filtered, "ADC_TOKEN=***")
+               } else {
+                       filtered = append(filtered, envVar)
+               }
+       }
+       return filtered
+}
+
 func (e *DefaultADCExecutor) buildCmdError(runErr error, stdout, stderr 
[]byte) error {
        errMsg := string(stderr)
        if errMsg == "" {

Reply via email to