fix: should not contain plaintext token in log message. (#2462)

Signed-off-by: ashing <[email protected]>

Author: ronething

internal/provider/adc/adc.go

@@ -51,6 +51,20 @@ type adcConfig struct {
 	TlsVerify   bool
 }
 
+// MarshalJSON implements custom JSON marshaling for adcConfig
+// It excludes the Token field for security reasons
+func (c adcConfig) MarshalJSON() ([]byte, error) {
+	return json.Marshal(struct {
+		Name        string   `json:"name"`
+		ServerAddrs []string `json:"serverAddrs"`
+		TlsVerify   bool     `json:"tlsVerify"`
+	}{
+		Name:        c.Name,
+		ServerAddrs: c.ServerAddrs,
+		TlsVerify:   c.TlsVerify,
+	})
+}
+
 type BackendMode string
 
 const (

internal/provider/adc/executor.go

@@ -100,7 +100,7 @@ func (e *DefaultADCExecutor) runForSingleServer(ctx context.Context, serverAddr,
 
 	log.Debugw("running adc command",
 		zap.String("command", strings.Join(cmd.Args, " ")),
-		zap.Strings("env", env),
+		zap.Strings("env", filterSensitiveEnv(env)),
 	)
 
 	if err := cmd.Run(); err != nil {
@@ -138,6 +138,19 @@ func (e *DefaultADCExecutor) prepareEnv(serverAddr, mode, token string) []string
 	}
 }
 
+// filterSensitiveEnv filters out sensitive information from environment variables for logging
+func filterSensitiveEnv(env []string) []string {
+	filtered := make([]string, 0, len(env))
+	for _, envVar := range env {
+		if strings.Contains(envVar, "ADC_TOKEN=") {
+			filtered = append(filtered, "ADC_TOKEN=***")
+		} else {
+			filtered = append(filtered, envVar)
+		}
+	}
+	return filtered
+}
+
 func (e *DefaultADCExecutor) buildCmdError(runErr error, stdout, stderr []byte) error {
 	errMsg := string(stderr)
 	if errMsg == "" {