From e8e9373098027445e08bf72bfb1eb15119eb1502 Mon Sep 17 00:00:00 2001 From: GatewayJ <18332154+GatewayJ@users.noreply.github.com> Date: Sat, 11 Jul 2026 23:33:28 +0800 Subject: [PATCH] fix: redact STS credential field aliases --- src/sts/tests.rs | 10 ++++++++-- src/utils/sanitize.rs | 30 +++++++++++++++++++++++++++++- 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/src/sts/tests.rs b/src/sts/tests.rs index dc98d04..986372c 100644 --- a/src/sts/tests.rs +++ b/src/sts/tests.rs @@ -155,15 +155,21 @@ fn unexpected_status_includes_upstream_json_error_summary() { fn unexpected_status_redacts_sensitive_upstream_error_summary() { let err = RustfsClientError::unexpected_status_with_body( StatusCode::BAD_REQUEST, - r#"{"code":"InvalidRequest","message":"secretkey: SK_TEST clientSecret: oidc-secret AKIA_XML"}"#, + r#"{"code":"InvalidRequest","message":"secretkey: SK_TEST clientSecret: oidc-secret SecretAccessKey: SK_STS AccessKeyId: AKIA_STS SK_XML AKIA_XML"}"#, ); let message = err.to_string(); assert!(message.contains("secretkey: ")); assert!(message.contains("clientSecret: ")); - assert!(message.contains("")); + assert!(message.contains("SecretAccessKey: ")); + assert!(message.contains("AccessKeyId: ")); + assert!(message.contains("")); + assert!(message.contains("")); assert!(!message.contains("SK_TEST")); assert!(!message.contains("oidc-secret")); + assert!(!message.contains("SK_STS")); + assert!(!message.contains("AKIA_STS")); + assert!(!message.contains("SK_XML")); assert!(!message.contains("AKIA_XML")); } diff --git a/src/utils/sanitize.rs b/src/utils/sanitize.rs index f1fc5bc..bea44a0 100644 --- a/src/utils/sanitize.rs +++ b/src/utils/sanitize.rs @@ -12,15 +12,21 @@ // See the License for the specific language governing permissions and // limitations under the License. -const SENSITIVE_KEYS: [&str; 16] = [ +const SENSITIVE_KEYS: [&str; 22] = [ "token", "password", "accesskey", "access_key", "access-key", + "accesskeyid", + "access_key_id", + "access-key-id", "secretkey", "secret_key", "secret-key", + "secretaccesskey", + "secret_access_key", + "secret-access-key", "clientsecret", "client_secret", "client-secret", @@ -42,7 +48,9 @@ fn is_sensitive_key(key: &str) -> bool { "token" | "password" | "accesskey" + | "accesskeyid" | "secretkey" + | "secretaccesskey" | "clientsecret" | "sessiontoken" | "credential" @@ -282,6 +290,26 @@ mod tests { assert!(!sanitized.contains("SK_XML")); } + #[test] + fn redacts_sts_credential_field_names() { + let message = r#"AccessKeyId: AKIA_TEXT SecretAccessKey: SK_TEXT {"access_key_id":"AKIA_JSON","secret-access-key":"SK_JSON"} AKIA_XML SK_XML"#; + + let sanitized = redact_sensitive_pairs(message); + + assert!(sanitized.contains("AccessKeyId: ")); + assert!(sanitized.contains("SecretAccessKey: ")); + assert!(sanitized.contains(r#""access_key_id":"""#)); + assert!(sanitized.contains(r#""secret-access-key":"""#)); + assert!(sanitized.contains("")); + assert!(sanitized.contains("")); + assert!(!sanitized.contains("AKIA_TEXT")); + assert!(!sanitized.contains("SK_TEXT")); + assert!(!sanitized.contains("AKIA_JSON")); + assert!(!sanitized.contains("SK_JSON")); + assert!(!sanitized.contains("AKIA_XML")); + assert!(!sanitized.contains("SK_XML")); + } + #[test] fn handles_unicode_without_panicking() { let message = "错误🔐 token: tok_123 用户=测试 secretkey: SK_TEST 完成";