cmd: redact header flag values in config log#4523
Merged
Merged
Conversation
The "Parsed config" log line dumps all flag values verbatim. Flags containing "header" (beacon-node-headers, otlp-headers) were not redacted, leaking authentication credentials in logs. Add a header-aware redaction path that preserves the header key for debuggability while masking the value (e.g., "Authorization=xxxxx"). category: bug ticket: none
aly-obol
force-pushed
the
fix/redact-header-values
branch
from
71a657e to
03d8c7f
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4523 +/- ##
==========================================
+ Coverage 57.05% 57.06% +0.01%
==========================================
Files 245 245
Lines 32964 32971 +7
==========================================
+ Hits 18806 18816 +10
+ Misses 11782 11777 -5
- Partials 2376 2378 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Removes nolint directives that caused a nolintlint/revive catch-22 by eliminating the fmt.Sprintf calls entirely. category: refactor ticket: none
|
pinebit
approved these changes
May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
beacon-node-headers,otlp-headers) were not redacted, leaking authentication credentials in logs.redact()that preserves the header key for debuggability while masking the value (e.g.,Authorization=xxxxx).flagsToLogFieldsloop.Description
The
redact()function incmd/cmd.goalready handledauth-tokenflags (full redaction) andaddressflags (URL password redaction), but did not coverheaderflags. When--beacon-node-headers=Authorization=Basic <token>was set, the full cleartext value appeared in the startup log. This led to a real credential exposure when a log file was accidentally committed to a public repo.The fix adds a
strings.Contains(flag, "header")check that delegates toredactHeaderValue(), which splits on the first=and replaces the value withxxxxxwhile keeping the key visible for debugging.Test plan
TestRedact— new subcases forbeacon-node-headers,otlp-headers, and a header without a valueTestFlagsToLogFieldsRedactsHeaders— verifies slice values are redacted when processed throughflagsToLogFieldsTestRedactandTestFlagsToLogFieldscases still passcategory: bug
ticket: none