security(client): redact credentials in --debug output (SEC-07)#27
Merged
Conversation
--debug printed the raw request/response body, so fetching a kubeconfig with --debug logged the embedded client cert/key/token (a long-lived credential) to stderr, into scrollback/CI logs. Redact credential-bearing fields (kubeConfig, token, client-certificate-data, client-key-data, *secret*, password) to "[REDACTED]" in the debug view only; the real response is untouched. Applied to both request and response debug logging. Note: this closes the --debug leak vector. The underlying model (VKS embeds a static N-day credential in the kubeconfig, vs EKS/GKE exec-plugin short-lived tokens) is server-side and out of scope. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Finding (SEC-07, the
--debugleak vector)--debugprinted the raw request/response body (client.go). Sogrn vks update-kubeconfig --debug— which GETs the cluster kubeconfig — logged the embedded client cert/key/token (a long-lived credential; default--expiration-days 30) to stderr, landing in scrollback / CI logs.Verified:
--debugdoes NOT print theAuthorizationheader (bearer token safe there), but it DID print the full response body, which for kubeconfig contains the credential.Fix
redactDebugBodyparses the JSON body and replaces credential-bearing field values with[REDACTED]in the debug view only — the real response used by the command is untouched. Applied to both the request-body and response-body debug prints.Redacted keys:
kubeConfig,token,client-certificate-data,client-key-data,client_secret/clientSecret,password, plus any key containingsecret/passwordor ending intoken/key-data. Non-JSON bodies pass through unchanged (VKS/vServer bodies are JSON).Example (
update-kubeconfig --debug) now logs:Out of scope (server-side)
The deeper issue — VKS embeds a static N-day credential in the kubeconfig, whereas EKS/GKE use an exec-plugin that mints short-lived (~15 min / ~1 h) tokens on demand and stores nothing on disk. The VKS API exposes only
GET/POST /kubeconfig(no short-lived token endpoint), so the exec-plugin model can't be done in the CLI alone — it needs a VKS control-plane capability. This PR closes the--debugleak; the model change is a backend proposal.Testing
redact_test.go: kubeconfig masked, nested/token/clientSecret masked, non-sensitive kept, non-JSON passthrough.go vet ./...clean; fullgo test ./...passes; build clean.🤖 Generated with Claude Code