api,sink: mask sink uri secrets in errors

[asddongmen]

What problem does this PR solve?

Issue Number: ref #5094

Backport #5093 to release-8.5 so sensitive sink URI data is not exposed through sink parsing and validation errors.

What is changed and how it works?

Cherry-picked the three commits from #5093 onto release-8.5:

• 4d95fd459 api,sink: mask sink uri secrets in errors
• b6a114a94 update git ignore
• 71275a7fd api,sink: preserve sanitized uri parse errors

The backport masks sink URI credentials in OpenAPI create/update/resume/verify-table paths, sink New/Verify, and shared cluster checks. It also preserves sanitized URI parse errors by redacting url.Error contents. During conflict resolution, pkg/check/active_active_tso_indexes.go hunks were omitted because that file does not exist on release-8.5.

Check List

Tests

• Unit test

Questions

Will it cause performance regression or break compatibility?

No. It only changes error message redaction for invalid or unsupported sink URI paths.

Do you need to update user documentation, design documentation or monitoring documentation?

No.

Release note

None

[ti-chi-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[ti-chi-bot]

This cherry pick PR is for a release branch and has not yet been approved by triage owners.
Adding the do-not-merge/cherry-pick-not-approved label.

To merge this cherry pick:

1. It must be LGTMed and approved by the reviewers firstly.
2. For pull requests to TiDB-x branches, it must have no failed tests.
3. AFTER it has lgtm and approved labels, please wait for the cherry-pick merging approval from triage owners.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 519df9c1-15dc-402d-a559-648e88bd64f7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces changes to mask sensitive data (such as credentials) in sink URIs and URL errors across various components, including API endpoints, downstream adapters, and cluster checks. It adds utility functions to mask sensitive query parameters and redact invalid URIs, along with comprehensive unit tests. The review feedback highlights critical security improvements: traversing the error chain in MaskSensitiveDataInURLError to ensure wrapped errors are properly masked, and using the newly introduced genSinkURIInvalidError helper when sink.Verify fails to prevent potential credential leaks in API responses.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

In Go (and especially TiCDC), errors are frequently wrapped using errors.Trace or other wrapping mechanisms. The current implementation of MaskSensitiveDataInURLError uses a direct type assertion err.(*url.Error), which will fail to detect and mask the sensitive URL if the error is wrapped.

We should traverse the error chain to find and mask the nested *url.Error in-place, ensuring that sensitive credentials are never leaked even when the error is wrapped.

Suggested change

	func MaskSensitiveDataInURLError(err error) error {
	if err == nil {
	return nil
	}
	urlErr, ok := err.(*url.Error)
	if !ok {
	return err
	}
	return &url.Error{
	Op: urlErr.Op,
	URL: MaskSensitiveDataInURIForError(urlErr.URL),
	Err: urlErr.Err,
	}
	}
	func MaskSensitiveDataInURLError(err error) error {
	if err == nil {
	return nil
	}
	type unwrapper interface {
	Unwrap() error
	}
	for curr := err; curr != nil; {
	if urlErr, ok := curr.(*url.Error); ok {
	urlErr.URL = MaskSensitiveDataInURIForError(urlErr.URL)
	return err
	}
	u, ok := curr.(unwrapper)
	if !ok {
	break
	}
	curr = u.Unwrap()
	}
	return err
	}

[gemini-code-assist]

If sink.Verify fails, it can return a *url.Error (e.g., due to connection or DNS issues). Wrapping err directly without util.MaskSensitiveDataInURLError will leak the sensitive credentials in the API response.

We should use genSinkURIInvalidError here, which automatically masks both the err (if it contains a *url.Error) and the sinkURI.

Suggested change

	_ = c.Error(errors.WrapError(errors.ErrSinkURIInvalid, err, maskSinkURIForError(cfg.SinkURI)))
	_ = c.Error(genSinkURIInvalidError(cfg.SinkURI, err))

[gemini-code-assist]

If sink.Verify fails during changefeed update, it can return a *url.Error containing sensitive credentials. Wrapping err directly without util.MaskSensitiveDataInURLError will leak these credentials in the API response.

We should use genSinkURIInvalidError here to ensure both the nested error and the URI are properly masked.

Suggested change

	_ = c.Error(errors.WrapError(errors.ErrSinkURIInvalid, err, maskSinkURIForError(oldCfInfo.SinkURI)))
	_ = c.Error(genSinkURIInvalidError(oldCfInfo.SinkURI, err))

[asddongmen]

/test all

[asddongmen]

/test all

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 3AceShowHand, wk989898

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [3AceShowHand,wk989898]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-06-12 09:15:32.899994754 +0000 UTC m=+1124233.970312143: ☑️ agreed by 3AceShowHand.
• 2026-06-12 09:44:42.465315956 +0000 UTC m=+1125983.535633386: ☑️ agreed by wk989898.

[ti-chi-bot]

This cherry pick PR is for a release branch and has not yet been approved by triage owners.
Adding the do-not-merge/cherry-pick-not-approved label.

To merge this cherry pick:

1. It must be LGTMed and approved by the reviewers firstly.
2. For pull requests to TiDB-x branches, it must have no failed tests.
3. AFTER it has lgtm and approved labels, please wait for the cherry-pick merging approval from triage owners.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.