fix: harden statuspage migration error handling

debidong · debidong · commit a7d39d953b93 · 2026-04-20T15:54:13.000+08:00
diff --git a/internal/cli/status_page_migrate.go b/internal/cli/status_page_migrate.go
@@ -15,6 +15,33 @@ import (
 )
 
 const migrationSourceAtlassian = "atlassian"
+const migrationErrorBodyLimit = 4096
+
+var migrationSensitiveBodyKeys = map[string]struct{}{
+	"apikey":        {},
+	"xapikey":       {},
+	"accesskey":     {},
+	"password":      {},
+	"passwd":        {},
+	"pwd":           {},
+	"token":         {},
+	"accesstoken":   {},
+	"refreshtoken":  {},
+	"idtoken":       {},
+	"sessiontoken":  {},
+	"authtoken":     {},
+	"oauthtoken":    {},
+	"bearertoken":   {},
+	"authorization": {},
+	"auth":          {},
+	"secret":        {},
+	"clientsecret":  {},
+	"secretkey":     {},
+	"privatekey":    {},
+	"signingkey":    {},
+	"credential":    {},
+	"credentials":   {},
+}
 
 type statusPageMigrationService interface {
 	StartStructure(ctx context.Context, sourceAPIKey, sourcePageID string) (*migrationStartResult, error)
@@ -173,16 +200,16 @@ func (a *statusPageMigrationAPI) do(ctx context.Context, method, path string, qu
 
 	resp, err := a.httpClient.Do(req)
 	if err != nil {
-		return fmt.Errorf("request failed: %w", err)
+		return fmt.Errorf("request failed: %s", redactAppKey(err.Error(), a.appKey))
 	}
 	defer func() { _ = resp.Body.Close() }()
 
 	if resp.StatusCode != http.StatusOK {
-		bodyBytes, readErr := io.ReadAll(resp.Body)
+		bodyBytes, readErr := io.ReadAll(io.LimitReader(resp.Body, migrationErrorBodyLimit))
 		if readErr != nil {
 			return fmt.Errorf("API client error (HTTP %d)", resp.StatusCode)
 		}
-		return fmt.Errorf("API client error (HTTP %d): %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+		return fmt.Errorf("API client error (HTTP %d): %s", resp.StatusCode, sanitizeMigrationBody(string(bodyBytes)))
 	}
 
 	if err := json.NewDecoder(resp.Body).Decode(out); err != nil {
@@ -207,6 +234,85 @@ func (a *statusPageMigrationAPI) do(ctx context.Context, method, path string, qu
 	return nil
 }
 
+func redactAppKey(message, appKey string) string {
+	if appKey == "" {
+		return message
+	}
+
+	redacted := strings.ReplaceAll(message, appKey, "[redacted]")
+	redacted = strings.ReplaceAll(redacted, url.QueryEscape(appKey), "[redacted]")
+	return redacted
+}
+
+func sanitizeMigrationBody(body string) string {
+	if body == "" {
+		return body
+	}
+
+	var v any
+	if err := json.Unmarshal([]byte(body), &v); err != nil {
+		return body
+	}
+
+	sanitized, redacted := sanitizeMigrationJSONValue(v)
+	if !redacted {
+		return body
+	}
+
+	out, err := json.Marshal(sanitized)
+	if err != nil {
+		return body
+	}
+	return string(out)
+}
+
+func sanitizeMigrationJSONValue(v any) (any, bool) {
+	switch value := v.(type) {
+	case map[string]any:
+		sanitized := make(map[string]any, len(value))
+		redacted := false
+		for key, item := range value {
+			if isMigrationSensitiveBodyKey(key) {
+				sanitized[key] = "[REDACTED]"
+				redacted = true
+				continue
+			}
+
+			sanitizedItem, itemRedacted := sanitizeMigrationJSONValue(item)
+			sanitized[key] = sanitizedItem
+			redacted = redacted || itemRedacted
+		}
+		return sanitized, redacted
+	case []any:
+		sanitized := make([]any, len(value))
+		redacted := false
+		for i, item := range value {
+			sanitizedItem, itemRedacted := sanitizeMigrationJSONValue(item)
+			sanitized[i] = sanitizedItem
+			redacted = redacted || itemRedacted
+		}
+		return sanitized, redacted
+	default:
+		return v, false
+	}
+}
+
+func isMigrationSensitiveBodyKey(key string) bool {
+	_, ok := migrationSensitiveBodyKeys[normalizeMigrationSensitiveBodyKey(key)]
+	return ok
+}
+
+func normalizeMigrationSensitiveBodyKey(key string) string {
+	var b strings.Builder
+	b.Grow(len(key))
+	for _, r := range strings.ToLower(strings.TrimSpace(key)) {
+		if (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9') {
+			b.WriteRune(r)
+		}
+	}
+	return b.String()
+}
+
 func newStatusPageMigrateCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "migrate",
diff --git a/internal/cli/status_page_migrate_test.go b/internal/cli/status_page_migrate_test.go
@@ -4,12 +4,27 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"fmt"
+	"io"
 	"net/http"
-	"net/http/httptest"
 	"strings"
 	"testing"
 )
 
+type roundTripperFunc func(*http.Request) (*http.Response, error)
+
+func (f roundTripperFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return f(req)
+}
+
+func jsonResponse(statusCode int, body string) *http.Response {
+	return &http.Response{
+		StatusCode: statusCode,
+		Header:     make(http.Header),
+		Body:       io.NopCloser(strings.NewReader(body)),
+	}
+}
+
 func TestStatusPageMigrationAPIStartStructure(t *testing.T) {
 	t.Parallel()
 
@@ -18,25 +33,21 @@ func TestStatusPageMigrationAPIStartStructure(t *testing.T) {
 	var gotAppKey string
 	var gotBody map[string]any
 
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		gotMethod = r.Method
-		gotPath = r.URL.Path
-		gotAppKey = r.URL.Query().Get("app_key")
-		if err := json.NewDecoder(r.Body).Decode(&gotBody); err != nil {
-			t.Fatalf("decode body: %v", err)
-		}
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(map[string]any{
-			"data": map[string]any{"job_id": "job-1"},
-		})
-	}))
-	defer ts.Close()
-
 	api := &statusPageMigrationAPI{
-		httpClient: ts.Client(),
-		baseURL:    ts.URL,
-		appKey:     "fd-app-key",
-		userAgent:  "flashduty-cli/test",
+		httpClient: &http.Client{
+			Transport: roundTripperFunc(func(r *http.Request) (*http.Response, error) {
+				gotMethod = r.Method
+				gotPath = r.URL.Path
+				gotAppKey = r.URL.Query().Get("app_key")
+				if err := json.NewDecoder(r.Body).Decode(&gotBody); err != nil {
+					t.Fatalf("decode body: %v", err)
+				}
+				return jsonResponse(http.StatusOK, `{"data":{"job_id":"job-1"}}`), nil
+			}),
+		},
+		baseURL:   "https://status.example.com",
+		appKey:    "fd-app-key",
+		userAgent: "flashduty-cli/test",
 	}
 
 	out, err := api.StartStructure(context.Background(), "atlassian-key", "page_123")
@@ -68,32 +79,18 @@ func TestStatusPageMigrationAPIGetStatus(t *testing.T) {
 	var gotPath string
 	var gotJobID string
 
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		gotMethod = r.Method
-		gotPath = r.URL.Path
-		gotJobID = r.URL.Query().Get("job_id")
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(map[string]any{
-			"data": map[string]any{
-				"job_id":         "job-2",
-				"source_page_id": "src-1",
-				"target_page_id": 1024,
-				"phase":          "history",
-				"status":         "running",
-				"progress": map[string]any{
-					"total_steps":     5,
-					"completed_steps": 3,
-				},
-			},
-		})
-	}))
-	defer ts.Close()
-
 	api := &statusPageMigrationAPI{
-		httpClient: ts.Client(),
-		baseURL:    ts.URL,
-		appKey:     "fd-app-key",
-		userAgent:  "flashduty-cli/test",
+		httpClient: &http.Client{
+			Transport: roundTripperFunc(func(r *http.Request) (*http.Response, error) {
+				gotMethod = r.Method
+				gotPath = r.URL.Path
+				gotJobID = r.URL.Query().Get("job_id")
+				return jsonResponse(http.StatusOK, `{"data":{"job_id":"job-2","source_page_id":"src-1","target_page_id":1024,"phase":"history","status":"running","progress":{"total_steps":5,"completed_steps":3}}}`), nil
+			}),
+		},
+		baseURL:   "https://status.example.com",
+		appKey:    "fd-app-key",
+		userAgent: "flashduty-cli/test",
 	}
 
 	out, err := api.GetStatus(context.Background(), "job-2")
@@ -115,29 +112,101 @@ func TestStatusPageMigrationAPIGetStatus(t *testing.T) {
 	}
 }
 
+func TestStatusPageMigrationAPIRedactsAppKeyFromTransportError(t *testing.T) {
+	t.Parallel()
+
+	api := &statusPageMigrationAPI{
+		httpClient: &http.Client{
+			Transport: roundTripperFunc(func(req *http.Request) (*http.Response, error) {
+				return nil, fmt.Errorf("transport failed for %s", req.URL.String())
+			}),
+		},
+		baseURL:   "https://status.example.com",
+		appKey:    "secret-app-key",
+		userAgent: "flashduty-cli/test",
+	}
+
+	_, err := api.GetStatus(context.Background(), "job-4")
+	if err == nil {
+		t.Fatal("GetStatus() error = nil, want transport error")
+	}
+	if strings.Contains(err.Error(), "secret-app-key") {
+		t.Fatalf("transport error leaked app key: %v", err)
+	}
+}
+
+func TestStatusPageMigrationAPICapsErrorBodyReads(t *testing.T) {
+	t.Parallel()
+
+	largeBody := strings.Repeat("0123456789", 2000)
+
+	api := &statusPageMigrationAPI{
+		httpClient: &http.Client{
+			Transport: roundTripperFunc(func(r *http.Request) (*http.Response, error) {
+				return jsonResponse(http.StatusBadGateway, largeBody), nil
+			}),
+		},
+		baseURL:   "https://status.example.com",
+		appKey:    "fd-app-key",
+		userAgent: "flashduty-cli/test",
+	}
+
+	_, err := api.GetStatus(context.Background(), "job-5")
+	if err == nil {
+		t.Fatal("GetStatus() error = nil, want HTTP error")
+	}
+	if got := len(err.Error()); got > 5000 {
+		t.Fatalf("HTTP error too large: got %d chars, want <= 5000", got)
+	}
+}
+
+func TestStatusPageMigrationAPISanitizesErrorBodyFields(t *testing.T) {
+	t.Parallel()
+
+	api := &statusPageMigrationAPI{
+		httpClient: &http.Client{
+			Transport: roundTripperFunc(func(r *http.Request) (*http.Response, error) {
+				return jsonResponse(http.StatusBadGateway, `{"error":{"message":"upstream failed","details":{"ApiKey":"response-secret","nested":[{"ACCESS_TOKEN":"response-token"}]}}}`), nil
+			}),
+		},
+		baseURL:   "https://status.example.com",
+		appKey:    "fd-app-key",
+		userAgent: "flashduty-cli/test",
+	}
+
+	_, err := api.GetStatus(context.Background(), "job-6")
+	if err == nil {
+		t.Fatal("GetStatus() error = nil, want HTTP error")
+	}
+	if strings.Contains(err.Error(), "response-secret") || strings.Contains(err.Error(), "response-token") {
+		t.Fatalf("HTTP error leaked secret body fields: %v", err)
+	}
+	if !strings.Contains(err.Error(), "[REDACTED]") {
+		t.Fatalf("HTTP error missing redaction marker: %v", err)
+	}
+}
+
 func TestStatusPageMigrationAPICancel(t *testing.T) {
 	t.Parallel()
 
 	var gotMethod string
 	var gotPath string
 	var gotBody map[string]any
 
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		gotMethod = r.Method
-		gotPath = r.URL.Path
-		if err := json.NewDecoder(r.Body).Decode(&gotBody); err != nil {
-			t.Fatalf("decode body: %v", err)
-		}
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(map[string]any{"data": map[string]any{}})
-	}))
-	defer ts.Close()
-
 	api := &statusPageMigrationAPI{
-		httpClient: ts.Client(),
-		baseURL:    ts.URL,
-		appKey:     "fd-app-key",
-		userAgent:  "flashduty-cli/test",
+		httpClient: &http.Client{
+			Transport: roundTripperFunc(func(r *http.Request) (*http.Response, error) {
+				gotMethod = r.Method
+				gotPath = r.URL.Path
+				if err := json.NewDecoder(r.Body).Decode(&gotBody); err != nil {
+					t.Fatalf("decode body: %v", err)
+				}
+				return jsonResponse(http.StatusOK, `{"data":{}}`), nil
+			}),
+		},
+		baseURL:   "https://status.example.com",
+		appKey:    "fd-app-key",
+		userAgent: "flashduty-cli/test",
 	}
 
 	if err := api.Cancel(context.Background(), "job-3"); err != nil {
