You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
after a discussion with Claude, the following points surfaced.
is pretty important.
I'm not sure if that's really an issue. if a diff ends with a secret and the secret isn't printed that's not too bad. but ideally it should end with the **redacted** string.
I didn't dive in the logic enough for that one, up to you.
I think this is a valid point as well, we discussed and decided we would include the ClusterID.
I'll try to fix 1, 2 and 4, and leave 3 to you if that's ok for you
Data race on maskedPrinter — AddSecrets is called concurrently from all node goroutines in Nodes() on the shared topf.maskedPrinter, no mutex protection
Flush() never called — maskedwriter buffers bytes internally to handle secrets that span multiple Write calls. If the dry-run output ends with bytes that happen to be a prefix of a registered secret, those bytes stay in the buffer and are never written to stdout. apply.go only calls fmt.Fprintln(n.t.MaskedPrinter(), ...) with no subsequent Flush(). A simple fix would be to call Flush() after each print, or wrap MaskedPrinter() in an io.WriteCloser that flushes on Close.
Prefix-of-a-prefix bug in maskedwriter — In bufferEndsWithSecretPrefix, maxFound accumulates across the secrets loop. Once a longer partial match has raised maxFound to N, any shorter secret of length ≤ N can never be detected as a full match because the inner for i := maxLen; i > maxFound loop never executes. Concretely: with secrets ["abcd", "abc"] and input "abce", the buffer holds "abc" waiting for a possible "abcd" match; when 'e' arrives no suffix matches any secret prefix, so all 4 bytes are flushed as-is and "abc" is never redacted.
Cluster.ID missing from collectSecrets — The cluster ID appears in the Talos machine config that the dry-run diff outputs, but bundle.Cluster.ID is not included in the list of secrets collected in secrets.go.
Should be addressed now with a different approach. Flush was also the wrong semantics. io.WriteCloser makes more sense here. Close() is the signal that tells the writer that we're finished, so it can flush out whatever is pending (while making sure any pending short matches are redacted).
The maskedwriter is not optimized for performance, but I think it's more readable now and should be correct.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #9.
Redacts any obvious secrets in the dry run output by collecting secrets and using a custom writer.