security(promtail): redact URL-embedded credentials (#194)#511
Merged
Conversation
3 tasks
Adds two new replace stages to the hermes pipeline: - scheme://user:password@host -> scheme://<redacted>@host - ?api_key=... / &access_token=... / &client_secret=... / etc -> <redacted> Adds regression tests asserting both forms are stripped before logs leave promtail. Closes #194 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…194) The nats scrape job gained credential redaction in #191 (merged after this branch diverged). Mirror the URL-embedded + query-string secret stages so the new pipeline has the same coverage as hermes. Generalise the regression tests to assert that every scrape job which performs credential redaction also strips URL-embedded credentials and query-string API keys. Refs #194 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mvillmow
force-pushed
the
194-url-embedded-secrets-redaction
branch
from
2d75683 to
f18eafe
Compare
…#194) The rebased redaction pipelines on top of #190 (syslog secrets) and #191/#509 (NATS secrets) left the syslog job without URL-embedded credential and query-string secret redaction, while hermes and nats both had them. The test_url_embedded_credentials_redacted_in_all_redaction_pipelines test (which enumerates all jobs already doing replace-based redaction) demanded URL-cred handling for every such job — so syslog regressed. Also adds 'yamllint disable-line rule:line-length' to the three query-string regex lines, which intentionally exceed 120 chars because splitting an alternation across YAML lines would inject whitespace into the regex and break matching. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
hermesandnats):scheme://user:password@host->scheme://<redacted>@host?api_key=...,&access_token=...,&client_secret=...,&password=...,&token=...,&auth_token=...,&secret=...,&key=...-><redacted>tests/test_configs.pythat iterate over every redaction-enabled scrape job and assert both forms are stripped.Closes #194
Test plan
pixi run test— 319 passed, coverage 99.40%alice:hunter2@,?api_key=abc,&access_token=..., plus a no-creds URL).python -c "import yaml; yaml.safe_load(open('configs/promtail.yml'))").Generated with Claude Code