fix(nvca): stop logging ReVal request credentials#229
Conversation
Render() logged the full HelmReValRenderInput at V(2), including APIKey, HelmRegistryAuthConfig, and ImageRegistryAuthConfig, all of which carry credentials for the ReVal service and image/chart registries. Log a safe subset of fields instead. The struct is still marshaled as-is into the actual HTTP request body, which is correct; only the debug log line changed. Verified with go build, go vet, go test, and golangci-lint --enable-only gosec, all clean. NO-REF Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
📝 WalkthroughWalkthrough
ChangesSecure Render Logging
Estimated code review effort: 2 (Simple) | ~15 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
src/compute-plane-services/nvca/internal/miniservice/reval_client.go (1)
122-123: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winNarrow and expand the
gosecsuppression rationale.The suppression applies to the complete
json.Marshal(input)statement, which serializes API and registry credentials, but the comment mentions onlyinput.APIKey. Use the narrowest rule-specific suppression supported by the repository and document every intentionally serialized credential to avoid masking future findings.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/compute-plane-services/nvca/internal/miniservice/reval_client.go` around lines 122 - 123, Update the gosec suppression on the json.Marshal call in the ReVal client to use the repository’s narrowest rule-specific form, and expand its rationale to explicitly cover every intentionally serialized API and registry credential in input. Keep the suppression scoped only to this marshal statement and avoid broadening it beyond the relevant gosec rule.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/compute-plane-services/nvca/internal/miniservice/reval_client.go`:
- Around line 97-103: Add regression coverage for the verbosity-2 payload
logging around the revalidation client, verifying logs retain metadata such as
HelmChartURL, ReleaseName, InstanceType, GPUName, and K8sVersion while excluding
APIKey, HelmRegistryAuthConfig, and ImageRegistryAuthConfig.
- Around line 95-103: Update the Payload logging in the reval client to avoid
logging input.HelmChartURL verbatim. Normalize or redact the URL to retain only
a safe host/path representation, excluding userinfo and query parameters, and
use that sanitized value for the helmChart field while preserving the other
logged fields.
---
Nitpick comments:
In `@src/compute-plane-services/nvca/internal/miniservice/reval_client.go`:
- Around line 122-123: Update the gosec suppression on the json.Marshal call in
the ReVal client to use the repository’s narrowest rule-specific form, and
expand its rationale to explicitly cover every intentionally serialized API and
registry credential in input. Keep the suppression scoped only to this marshal
statement and avoid broadening it beyond the relevant gosec rule.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 5c442b84-b6ca-4739-9c01-6c98dc7ca343
📒 Files selected for processing (1)
src/compute-plane-services/nvca/internal/miniservice/reval_client.go
Address CodeRabbit review on this PR: - HelmChartURL can carry userinfo or a signed query string, so strip both before logging it, keeping only scheme/host/path. - Add TestReValClientPayloadLogRedactsCredentials, which renders with a chart URL, API key, and registry auth all containing distinct secret markers, captures the V(2) log output via a funcr logger, and asserts none of the secret markers appear while the safe fields do. - Add table tests for the new redactedHelmChartURL helper. Updated internal/miniservice/BUILD.bazel with the new go-logr/logr/funcr test dep. NO-REF Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
…reval-credential-logging
…test Extend the existing credential-redaction regression test to also set ImageRegistryAuthConfig (previously only HelmRegistryAuthConfig was covered) and assert the retained metadata fields, closing the gap CodeRabbit flagged on PR NVIDIA#229. JIRA: NO-REF NVBug: none Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
Render() logged the full input struct at V(2), including APIKey, HelmRegistryAuthConfig, and ImageRegistryAuthConfig, real credentials. Changed the log line to a safe field subset, redacted HelmChartURL too.
Tested: go build, go vet, go test ./internal/miniservice/..., and golangci-lint --enable-only gosec all pass.
Refs: NO-REF