Skip to content

fix(cluster): guard substring slice + redact join credentials in logs#654

Merged
ArangoGutierrez merged 1 commit intoNVIDIA:mainfrom
ArangoGutierrez:fix/cluster-join-credentials
Feb 13, 2026
Merged

fix(cluster): guard substring slice + redact join credentials in logs#654
ArangoGutierrez merged 1 commit intoNVIDIA:mainfrom
ArangoGutierrez:fix/cluster-join-credentials

Conversation

@ArangoGutierrez
Copy link
Collaborator

@ArangoGutierrez ArangoGutierrez commented Feb 12, 2026

Summary

  • Add length guard before CACertHash[:32] to prevent panic on truncated openssl output
  • Redact bootstrap token and certificate key from log output

Audit Findings

Changes

  • pkg/provisioner/cluster.go: Length guard + log redaction for join credentials

Test plan

  • gofmt — no formatting issues
  • go build — compiles
  • go test ./pkg/... — all tests pass

@ArangoGutierrez
fix(cluster): guard substring slice + redact join credentials in logs
7be7b90 
CACertHash[:32] panics if openssl output is truncated. Add length
guard. Also redact bootstrap token and certificate key from logs
to prevent partial credential exposure.

Audit findings NVIDIA#3 (HIGH), NVIDIA#19 (MEDIUM).

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
Copilot AI review requested due to automatic review settings February 12, 2026 20:26
Copilot AI reviewed Feb 12, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses two audit findings related to the cluster provisioning code:

  1. HIGH severity: Prevents a potential panic when slicing CACertHash if the openssl output is truncated
  2. MEDIUM severity: Redacts sensitive join credentials (bootstrap token and certificate key) from log output

Changes:

  • Added length guard before substring slicing to prevent panic on short CA cert hash
  • Redacted bootstrap token from logs (changed from plaintext to [REDACTED])
  • Redacted certificate key from logs (removed the partial display)

@coveralls
Copy link

coveralls commented Feb 12, 2026

Pull Request Test Coverage Report for Build 21963025628

Details

  • 0 of 6 (0.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.04%) to 47.465%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pkg/provisioner/cluster.go 0 6 0.0%
Totals Coverage Status
Change from base Build 21955389842: -0.04%
Covered Lines: 2500
Relevant Lines: 5267
💛 - Coveralls

@ArangoGutierrez ArangoGutierrez merged commit 7aa5bce into NVIDIA:main Feb 13, 2026
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ArangoGutierrez @coveralls