From 7be7b90e03ceb72d02467fc9b6533b7f2ffe889f Mon Sep 17 00:00:00 2001
From: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
Date: Thu, 12 Feb 2026 21:25:48 +0100
Subject: [PATCH] fix(cluster): guard substring slice + redact join credentials
 in logs

CACertHash[:32] panics if openssl output is truncated. Add length
guard. Also redact bootstrap token and certificate key from logs
to prevent partial credential exposure.

Audit findings #3 (HIGH), #19 (MEDIUM).

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
---
 pkg/provisioner/cluster.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/provisioner/cluster.go b/pkg/provisioner/cluster.go
index d596a6672..dcce14a50 100644
--- a/pkg/provisioner/cluster.go
+++ b/pkg/provisioner/cluster.go
@@ -344,9 +344,13 @@ func (cp *ClusterProvisioner) extractJoinInfo(provisioner *Provisioner) error {
 		cp.CertificateKey = strings.TrimSpace(string(certKeyOut))
 	}
 
-	cp.log.Info("Join credentials ready - Token: %s, CA Hash: %s", cp.JoinToken, cp.CACertHash[:32]+"...")
+	hashPreview := cp.CACertHash
+	if len(hashPreview) > 32 {
+		hashPreview = hashPreview[:32] + "..."
+	}
+	cp.log.Info("Join credentials ready - Token: [REDACTED], CA Hash: %s", hashPreview)
 	if cp.CertificateKey != "" {
-		cp.log.Info("Certificate key for control-plane joins: %s...", cp.CertificateKey[:16])
+		cp.log.Info("Certificate key for control-plane joins: [REDACTED]")
 	}
 
 	return nil