Merge pull request #133 from buildkite/fix/remove-possible-secret-exposures

lizrabuya · web-flow · commit e0da1d5590c6 · 2025-09-16T12:00:50.000+10:00
Remove possible exposure to secrets in error handling
diff --git a/s3secrets-helper/secrets/secrets.go b/s3secrets-helper/secrets/secrets.go
@@ -108,7 +108,7 @@ func Run(conf *Config) error {
 
 	if ok, err := conf.Client.BucketExists(); !ok {
 		if err != nil {
-			log.Printf("+++ :warning: Bucket %q not found: %v", bucket, err)
+			log.Printf("+++ :warning: Bucket %q not found", bucket)
 		} else {
 			log.Printf("+++ :warning: Bucket %q doesn't exist", bucket)
 		}
@@ -219,7 +219,7 @@ func handleSSHKeys(conf *Config, results <-chan getResult) error {
 	for r := range results {
 		if r.err != nil {
 			if r.err != sentinel.ErrNotFound && r.err != sentinel.ErrForbidden {
-				log.Printf("+++ :warning: Failed to download ssh-key %s/%s: %v", r.bucket, r.key, r.err)
+				log.Printf("+++ :warning: Failed to download ssh-key %s/%s", r.bucket, r.key)
 			}
 			continue
 		}
@@ -233,7 +233,7 @@ func handleSSHKeys(conf *Config, results <-chan getResult) error {
 			r.bucket, r.key, len(r.data), conf.SSHAgent.Pid(),
 		)
 		if err := conf.SSHAgent.Add(r.data); err != nil {
-			return fmt.Errorf("ssh-agent add: %w", err)
+			return fmt.Errorf("failed to add ssh-agent")
 		}
 		keyFound = true
 	}
@@ -246,7 +246,7 @@ func handleSSHKeys(conf *Config, results <-chan getResult) error {
 		log.Printf("See https://buildkite.com/docs/agent/v3/aws/elastic-ci-stack/ec2-linux-and-windows/secrets-bucket for more information.")
 	}
 	if _, err := io.Copy(conf.EnvSink, conf.SSHAgent.Stdout()); err != nil {
-		return fmt.Errorf("copying ssh-agent env: %w", err)
+		return fmt.Errorf("failed in copying ssh-agent env")
 	}
 	return nil
 }
@@ -256,7 +256,7 @@ func handleEnvs(conf *Config, results <-chan getResult) error {
 	for r := range results {
 		if r.err != nil {
 			if r.err != sentinel.ErrNotFound && r.err != sentinel.ErrForbidden {
-				log.Printf("+++ :warning: Failed to download env from %s/%s: %v", r.bucket, r.key, r.err)
+				log.Printf("+++ :warning: Failed to download env from %s/%s", r.bucket, r.key)
 			}
 			continue
 		}
@@ -272,7 +272,7 @@ func handleEnvs(conf *Config, results <-chan getResult) error {
 			// Use godotenv library to properly handle multi-line secrets and avoid parsing bugs
 			envMap, err := godotenv.UnmarshalBytes(r.data)
 			if err != nil {
-				log.Printf("Warning: failed to parse env file %s/%s: %v", r.bucket, r.key, err)
+				log.Printf("Warning: failed to parse env file %s/%s", r.bucket, r.key)
 			} else {
 				for key, value := range envMap {
 					if isSecretVar(key) && len(value) > 0 {
@@ -282,7 +282,7 @@ func handleEnvs(conf *Config, results <-chan getResult) error {
 			}
 
 			if _, err := bytes.NewReader(data).WriteTo(conf.EnvSink); err != nil {
-				return fmt.Errorf("copying env: %w", err)
+				return fmt.Errorf("failed to write environment data")
 			}
 		}
 	}
@@ -295,7 +295,7 @@ func handleGitCredentials(conf *Config, results <-chan getResult) error {
 	for r := range results {
 		if r.err != nil {
 			if r.err != sentinel.ErrNotFound && r.err != sentinel.ErrForbidden {
-				log.Printf("+++ :warning: Failed to check %s/%s: %v", r.bucket, r.key, r.err)
+				log.Printf("+++ :warning: Failed to check %s/%s", r.bucket, r.key)
 			}
 			continue
 		}
@@ -326,7 +326,7 @@ func handleGitCredentials(conf *Config, results <-chan getResult) error {
 	env := "GIT_CONFIG_PARAMETERS=\"" + strings.Join(singleQuotedHelpers, " ") + "\"\n"
 
 	if _, err := io.WriteString(conf.EnvSink, env); err != nil {
-		return fmt.Errorf("writing GIT_CONFIG_PARAMETERS env: %w", err)
+		return fmt.Errorf("failed to write GIT_CONFIG_PARAMETERS env")
 	}
 	return nil
 }
@@ -341,7 +341,7 @@ func handleSecrets(conf *Config, results <-chan getResult) error {
 	for r := range results {
 		if r.err != nil {
 			if r.err != sentinel.ErrNotFound && r.err != sentinel.ErrForbidden {
-				log.Printf("+++ :warning: Failed to download secret %s/%s: %v", r.bucket, r.key, r.err)
+				log.Printf("+++ :warning: Failed to download secret %s/%s", r.bucket, r.key)
 			}
 			continue
 		}
@@ -372,7 +372,7 @@ func handleSecrets(conf *Config, results <-chan getResult) error {
 	}
 	envString = strings.Join(singleQuotedSecrets, "\n") + "\n"
 	if _, err := io.WriteString(conf.EnvSink, envString); err != nil {
-		return fmt.Errorf("writing SECRETS to env: %w", err)
+		return fmt.Errorf("failed to write secrets to environment")
 	}
 	return nil
 }
@@ -602,15 +602,15 @@ func processSingleChunk(log *log.Logger, secrets []string, chunkNum, totalChunks
 	}()
 
 	if err := tempFile.Chmod(0600); err != nil {
-		return fmt.Errorf("failed to set permissions on temporary file for chunk %d: %w", chunkNum, err)
+		return fmt.Errorf("failed to set permissions on temporary file for chunk %d", chunkNum)
 	}
 
 	if _, err := tempFile.Write(jsonData); err != nil {
-		return fmt.Errorf("failed to write chunk %d to temporary file: %w", chunkNum, err)
+		return fmt.Errorf("failed to write chunk %d to temporary file", chunkNum)
 	}
 
 	if err := tempFile.Sync(); err != nil {
-		return fmt.Errorf("failed to sync temporary file for chunk %d: %w", chunkNum, err)
+		return fmt.Errorf("failed to sync temporary file for chunk %d", chunkNum)
 	}
 
 	if err := tempFile.Close(); err != nil {

Original file line number	Diff line number	Diff line change
`@@ -108,7 +108,7 @@ func Run(conf *Config) error {`
`108`	`108`
`109`	`109`	`if ok, err := conf.Client.BucketExists(); !ok {`
`110`	`110`	`if err != nil {`
`111`		`- log.Printf("+++ :warning: Bucket %q not found: %v", bucket, err)`
	`111`	`+ log.Printf("+++ :warning: Bucket %q not found", bucket)`
`112`	`112`	`} else {`
`113`	`113`	`log.Printf("+++ :warning: Bucket %q doesn't exist", bucket)`
`114`	`114`	`}`
`@@ -219,7 +219,7 @@ func handleSSHKeys(conf *Config, results <-chan getResult) error {`
`219`	`219`	`for r := range results {`
`220`	`220`	`if r.err != nil {`
`221`	`221`	`if r.err != sentinel.ErrNotFound && r.err != sentinel.ErrForbidden {`
`222`		`- log.Printf("+++ :warning: Failed to download ssh-key %s/%s: %v", r.bucket, r.key, r.err)`
	`222`	`+ log.Printf("+++ :warning: Failed to download ssh-key %s/%s", r.bucket, r.key)`
`223`	`223`	`}`
`224`	`224`	`continue`
`225`	`225`	`}`
`@@ -233,7 +233,7 @@ func handleSSHKeys(conf *Config, results <-chan getResult) error {`
`233`	`233`	`r.bucket, r.key, len(r.data), conf.SSHAgent.Pid(),`
`234`	`234`	`)`
`235`	`235`	`if err := conf.SSHAgent.Add(r.data); err != nil {`
`236`		`- return fmt.Errorf("ssh-agent add: %w", err)`
	`236`	`+ return fmt.Errorf("failed to add ssh-agent")`
`237`	`237`	`}`
`238`	`238`	`keyFound = true`
`239`	`239`	`}`
`@@ -246,7 +246,7 @@ func handleSSHKeys(conf *Config, results <-chan getResult) error {`
`246`	`246`	`log.Printf("See https://buildkite.com/docs/agent/v3/aws/elastic-ci-stack/ec2-linux-and-windows/secrets-bucket for more information.")`
`247`	`247`	`}`
`248`	`248`	`if _, err := io.Copy(conf.EnvSink, conf.SSHAgent.Stdout()); err != nil {`
`249`		`- return fmt.Errorf("copying ssh-agent env: %w", err)`
	`249`	`+ return fmt.Errorf("failed in copying ssh-agent env")`
`250`	`250`	`}`
`251`	`251`	`return nil`
`252`	`252`	`}`
`@@ -256,7 +256,7 @@ func handleEnvs(conf *Config, results <-chan getResult) error {`
`256`	`256`	`for r := range results {`
`257`	`257`	`if r.err != nil {`
`258`	`258`	`if r.err != sentinel.ErrNotFound && r.err != sentinel.ErrForbidden {`
`259`		`- log.Printf("+++ :warning: Failed to download env from %s/%s: %v", r.bucket, r.key, r.err)`
	`259`	`+ log.Printf("+++ :warning: Failed to download env from %s/%s", r.bucket, r.key)`
`260`	`260`	`}`
`261`	`261`	`continue`
`262`	`262`	`}`
`@@ -272,7 +272,7 @@ func handleEnvs(conf *Config, results <-chan getResult) error {`
`272`	`272`	`// Use godotenv library to properly handle multi-line secrets and avoid parsing bugs`
`273`	`273`	`envMap, err := godotenv.UnmarshalBytes(r.data)`
`274`	`274`	`if err != nil {`
`275`		`- log.Printf("Warning: failed to parse env file %s/%s: %v", r.bucket, r.key, err)`
	`275`	`+ log.Printf("Warning: failed to parse env file %s/%s", r.bucket, r.key)`
`276`	`276`	`} else {`
`277`	`277`	`for key, value := range envMap {`
`278`	`278`	`if isSecretVar(key) && len(value) > 0 {`
`@@ -282,7 +282,7 @@ func handleEnvs(conf *Config, results <-chan getResult) error {`
`282`	`282`	`}`
`283`	`283`
`284`	`284`	`if _, err := bytes.NewReader(data).WriteTo(conf.EnvSink); err != nil {`
`285`		`- return fmt.Errorf("copying env: %w", err)`
	`285`	`+ return fmt.Errorf("failed to write environment data")`
`286`	`286`	`}`
`287`	`287`	`}`
`288`	`288`	`}`
`@@ -295,7 +295,7 @@ func handleGitCredentials(conf *Config, results <-chan getResult) error {`
`295`	`295`	`for r := range results {`
`296`	`296`	`if r.err != nil {`
`297`	`297`	`if r.err != sentinel.ErrNotFound && r.err != sentinel.ErrForbidden {`
`298`		`- log.Printf("+++ :warning: Failed to check %s/%s: %v", r.bucket, r.key, r.err)`
	`298`	`+ log.Printf("+++ :warning: Failed to check %s/%s", r.bucket, r.key)`
`299`	`299`	`}`
`300`	`300`	`continue`
`301`	`301`	`}`
`@@ -326,7 +326,7 @@ func handleGitCredentials(conf *Config, results <-chan getResult) error {`
`326`	`326`	`env := "GIT_CONFIG_PARAMETERS=\"" + strings.Join(singleQuotedHelpers, " ") + "\"\n"`
`327`	`327`
`328`	`328`	`if _, err := io.WriteString(conf.EnvSink, env); err != nil {`
`329`		`- return fmt.Errorf("writing GIT_CONFIG_PARAMETERS env: %w", err)`
	`329`	`+ return fmt.Errorf("failed to write GIT_CONFIG_PARAMETERS env")`
`330`	`330`	`}`
`331`	`331`	`return nil`
`332`	`332`	`}`
`@@ -341,7 +341,7 @@ func handleSecrets(conf *Config, results <-chan getResult) error {`
`341`	`341`	`for r := range results {`
`342`	`342`	`if r.err != nil {`
`343`	`343`	`if r.err != sentinel.ErrNotFound && r.err != sentinel.ErrForbidden {`
`344`		`- log.Printf("+++ :warning: Failed to download secret %s/%s: %v", r.bucket, r.key, r.err)`
	`344`	`+ log.Printf("+++ :warning: Failed to download secret %s/%s", r.bucket, r.key)`
`345`	`345`	`}`
`346`	`346`	`continue`
`347`	`347`	`}`
`@@ -372,7 +372,7 @@ func handleSecrets(conf *Config, results <-chan getResult) error {`
`372`	`372`	`}`
`373`	`373`	`envString = strings.Join(singleQuotedSecrets, "\n") + "\n"`
`374`	`374`	`if _, err := io.WriteString(conf.EnvSink, envString); err != nil {`
`375`		`- return fmt.Errorf("writing SECRETS to env: %w", err)`
	`375`	`+ return fmt.Errorf("failed to write secrets to environment")`
`376`	`376`	`}`
`377`	`377`	`return nil`
`378`	`378`	`}`
`@@ -602,15 +602,15 @@ func processSingleChunk(log *log.Logger, secrets []string, chunkNum, totalChunks`
`602`	`602`	`}()`
`603`	`603`
`604`	`604`	`if err := tempFile.Chmod(0600); err != nil {`
`605`		`- return fmt.Errorf("failed to set permissions on temporary file for chunk %d: %w", chunkNum, err)`
	`605`	`+ return fmt.Errorf("failed to set permissions on temporary file for chunk %d", chunkNum)`
`606`	`606`	`}`
`607`	`607`
`608`	`608`	`if _, err := tempFile.Write(jsonData); err != nil {`
`609`		`- return fmt.Errorf("failed to write chunk %d to temporary file: %w", chunkNum, err)`
	`609`	`+ return fmt.Errorf("failed to write chunk %d to temporary file", chunkNum)`
`610`	`610`	`}`
`611`	`611`
`612`	`612`	`if err := tempFile.Sync(); err != nil {`
`613`		`- return fmt.Errorf("failed to sync temporary file for chunk %d: %w", chunkNum, err)`
	`613`	`+ return fmt.Errorf("failed to sync temporary file for chunk %d", chunkNum)`
`614`	`614`	`}`
`615`	`615`
`616`	`616`	`if err := tempFile.Close(); err != nil {`