Skip to content

fix(nvca): stop logging ReVal request credentials#229

Open
mesutoezdil wants to merge 4 commits into
NVIDIA:mainfrom
mesutoezdil:mesutoezdil/fix/nvca-reval-credential-logging
Open

fix(nvca): stop logging ReVal request credentials#229
mesutoezdil wants to merge 4 commits into
NVIDIA:mainfrom
mesutoezdil:mesutoezdil/fix/nvca-reval-credential-logging

Conversation

@mesutoezdil

@mesutoezdil mesutoezdil commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Render() logged the full input struct at V(2), including APIKey, HelmRegistryAuthConfig, and ImageRegistryAuthConfig, real credentials. Changed the log line to a safe field subset, redacted HelmChartURL too.

Tested: go build, go vet, go test ./internal/miniservice/..., and golangci-lint --enable-only gosec all pass.

Refs: NO-REF

Render() logged the full HelmReValRenderInput at V(2), including
APIKey, HelmRegistryAuthConfig, and ImageRegistryAuthConfig, all of
which carry credentials for the ReVal service and image/chart
registries. Log a safe subset of fields instead.

The struct is still marshaled as-is into the actual HTTP request body,
which is correct; only the debug log line changed.

Verified with go build, go vet, go test, and golangci-lint
--enable-only gosec, all clean.

NO-REF

Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
@mesutoezdil
mesutoezdil requested a review from a team as a code owner July 17, 2026 07:31
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

revalClient.Render now logs only non-sensitive request fields, redacts credentials from Helm chart URLs, and retains the API key in the request payload with a documented GoSec suppression.

Changes

Secure Render Logging

Layer / File(s) Summary
Render logging and payload handling
src/compute-plane-services/nvca/internal/miniservice/reval_client.go
Render logging now includes selected non-credential fields and redacts Helm chart URL userinfo, queries, and fragments; the API key payload handling has a GoSec suppression comment.
Redaction validation and test wiring
src/compute-plane-services/nvca/internal/miniservice/reval_client_test.go, src/compute-plane-services/nvca/internal/miniservice/BUILD.bazel
Tests verify credential-free Render logs and URL redaction behavior, with the logging test dependency added to the Bazel target.

Estimated code review effort: 2 (Simple) | ~15 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: preventing ReVal request credentials from being logged.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
src/compute-plane-services/nvca/internal/miniservice/reval_client.go (1)

122-123: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Narrow and expand the gosec suppression rationale.

The suppression applies to the complete json.Marshal(input) statement, which serializes API and registry credentials, but the comment mentions only input.APIKey. Use the narrowest rule-specific suppression supported by the repository and document every intentionally serialized credential to avoid masking future findings.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/compute-plane-services/nvca/internal/miniservice/reval_client.go` around
lines 122 - 123, Update the gosec suppression on the json.Marshal call in the
ReVal client to use the repository’s narrowest rule-specific form, and expand
its rationale to explicitly cover every intentionally serialized API and
registry credential in input. Keep the suppression scoped only to this marshal
statement and avoid broadening it beyond the relevant gosec rule.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/compute-plane-services/nvca/internal/miniservice/reval_client.go`:
- Around line 97-103: Add regression coverage for the verbosity-2 payload
logging around the revalidation client, verifying logs retain metadata such as
HelmChartURL, ReleaseName, InstanceType, GPUName, and K8sVersion while excluding
APIKey, HelmRegistryAuthConfig, and ImageRegistryAuthConfig.
- Around line 95-103: Update the Payload logging in the reval client to avoid
logging input.HelmChartURL verbatim. Normalize or redact the URL to retain only
a safe host/path representation, excluding userinfo and query parameters, and
use that sanitized value for the helmChart field while preserving the other
logged fields.

---

Nitpick comments:
In `@src/compute-plane-services/nvca/internal/miniservice/reval_client.go`:
- Around line 122-123: Update the gosec suppression on the json.Marshal call in
the ReVal client to use the repository’s narrowest rule-specific form, and
expand its rationale to explicitly cover every intentionally serialized API and
registry credential in input. Keep the suppression scoped only to this marshal
statement and avoid broadening it beyond the relevant gosec rule.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5c442b84-b6ca-4739-9c01-6c98dc7ca343

📥 Commits

Reviewing files that changed from the base of the PR and between 8329fba and e22cc36.

📒 Files selected for processing (1)
  • src/compute-plane-services/nvca/internal/miniservice/reval_client.go

Address CodeRabbit review on this PR:

- HelmChartURL can carry userinfo or a signed query string, so strip
  both before logging it, keeping only scheme/host/path.
- Add TestReValClientPayloadLogRedactsCredentials, which renders with
  a chart URL, API key, and registry auth all containing distinct
  secret markers, captures the V(2) log output via a funcr logger, and
  asserts none of the secret markers appear while the safe fields do.
- Add table tests for the new redactedHelmChartURL helper.

Updated internal/miniservice/BUILD.bazel with the new
go-logr/logr/funcr test dep.

NO-REF

Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
…test

Extend the existing credential-redaction regression test to also set
ImageRegistryAuthConfig (previously only HelmRegistryAuthConfig was
covered) and assert the retained metadata fields, closing the gap
CodeRabbit flagged on PR NVIDIA#229.

JIRA: NO-REF
NVBug: none
Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant