pkg/cli: Implement redaction validation and user confirmation for debug zip uploads

- Added `validateRedactionStatus` function to check the redaction status of debug zips based on the `debug_zip_command_flags.txt` file.
- Introduced user prompts for confirmation when redaction is unclear or not enabled.
- Updated `runDebugZipUpload` to validate redaction status before proceeding with uploads.

This change improves the safety and user awareness regarding sensitive data in debug zip uploads to Datadog.

Part of: CRDB-49203
Epic: CRDB-52093
Release Notes: None

Author: Abhinav1299

pkg/cli/testdata/table_dumps/debug_zip_command_flags.txt

@@ -0,0 +1 @@
+ --concurrency=15 --cpu-profile-duration=5s --files-from=2025-06-15 08:45:34 --files-until=2025-06-18 08:45:34 --include-goroutine-stacks=true --include-range-info=true --include-running-job-traces=true --redact=true

pkg/cli/zip.go

@@ -48,6 +48,10 @@ type zipRequest struct {
 	pathName string
 }
 
+const (
+	debugZipCommandFlagsFileName = "debug_zip_command_flags.txt"
+)
+
 type debugZipContext struct {
 	z              *zipper
 	clusterPrinter *zipReporter
@@ -415,7 +419,7 @@ done
 				return filter
 			})
 
-			if err := z.createRaw(s, zc.prefix+"/debug_zip_command_flags.txt", []byte(flags)); err != nil {
+			if err := z.createRaw(s, zc.prefix+"/"+debugZipCommandFlagsFileName, []byte(flags)); err != nil {
 				return err
 			}
 

pkg/cli/zip_test.go

@@ -1234,7 +1234,7 @@ func TestCommandFlags(t *testing.T) {
 	}
 
 	for _, f := range r.File {
-		if f.Name == "debug/debug_zip_command_flags.txt" {
+		if f.Name == "debug/"+debugZipCommandFlagsFileName {
 			rc, err := f.Open()
 			if err != nil {
 				t.Fatal(err)
@@ -1251,7 +1251,7 @@ func TestCommandFlags(t *testing.T) {
 			return
 		}
 	}
-	assert.Fail(t, "debug/debug_zip_command_flags.txt is not generated")
+	assert.Fail(t, "debug/"+debugZipCommandFlagsFileName+" is not generated")
 
 	if err = r.Close(); err != nil {
 		t.Fatal(err)

pkg/cli/zip_upload.go

@@ -6,6 +6,7 @@
 package cli
 
 import (
+	"bufio"
 	"bytes"
 	"compress/gzip"
 	"context"
@@ -37,6 +38,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/util/system"
 	"github.com/cockroachdb/cockroach/pkg/util/timeutil"
 	"github.com/cockroachdb/errors"
+	"github.com/cockroachdb/errors/oserror"
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/option"
@@ -202,13 +204,114 @@ func uploadJSONFile(fileName string, message any, uuid string) error {
 // pipeline which enriches the logs with more fields.
 var defaultDDTags = []string{"service:CRDB-SH", "env:debug", "source:cockroachdb"}
 
+// buildRedactionWarning creates a warning message about sensitive data in debug zips.
+// It includes a common list of sensitive data types that may be present.
+func buildRedactionWarning(prefix string) string {
+	return prefix +
+		"This means it may contain sensitive data including:\n" +
+		"  • Personally Identifiable Information (PII)\n" +
+		"  • Database credentials and connection strings\n" +
+		"  • Internal cluster details\n" +
+		"  • Potentially sensitive log data\n\n" +
+		"It is advisable to only upload redacted debug zips to Datadog.\n"
+}
+
+// promptUserForConfirmationImpl shows a warning message and prompts the user for confirmation.
+// It returns nil if the user confirms, or an error if they decline or if there's an input error.
+// In dry-run mode, it shows the warning but skips the prompt.
+func promptUserForConfirmationImpl(warningMsg string) error {
+	// Skip interactive prompt in dry-run mode
+	if debugZipUploadOpts.dryRun {
+		fmt.Fprintf(os.Stderr, "%s", warningMsg)
+		fmt.Fprintf(os.Stderr, "DRY RUN: Would prompt for confirmation here.\n")
+		return nil
+	}
+
+	fmt.Fprintf(os.Stderr, "%s", warningMsg)
+	fmt.Fprintf(os.Stderr, "Do you want to continue with the upload? (y/N): ")
+
+	reader := bufio.NewReader(os.Stdin)
+	line, err := reader.ReadString('\n')
+	if err != nil {
+		return fmt.Errorf("failed to read user input: %w", err)
+	}
+
+	line = strings.ToLower(strings.TrimSpace(line))
+	if len(line) == 0 {
+		line = "n" // Default to 'no' when user presses enter without input
+	}
+
+	if line == "y" || line == "yes" {
+		fmt.Fprintf(os.Stderr, "Proceeding with upload...\n")
+		return nil
+	}
+
+	return fmt.Errorf("upload aborted")
+}
+
+// promptUserForConfirmation is a variable that can be mocked in tests
+var promptUserForConfirmation = promptUserForConfirmationImpl
+
+// validateRedactionStatus checks if the debug zip was created with redaction enabled
+// by examining the debugZipCommandFlagsFileName file in the system tenant.
+// If redaction is not enabled, it warns the user and prompts for confirmation.
+//
+// User experience examples:
+//
+//  1. Redacted zip (--redact=true): Proceeds silently
+//  2. Unredacted zip (--redact=false): Shows warning and prompts:
+//     "⚠️  WARNING: Your debug zip was created WITHOUT redaction..."
+//     "Do you want to continue with the upload? (y/N): "
+//  3. Unknown redaction status: Shows warning and prompts similarly
+//
+// The function respects dry-run mode by showing warnings without prompting.
+func validateRedactionStatus(debugDirPath string) error {
+	flagsFilePath := path.Join(debugDirPath, debugZipCommandFlagsFileName)
+
+	flagsContent, err := os.ReadFile(flagsFilePath)
+	if err != nil {
+		if oserror.IsNotExist(err) {
+			// File doesn't exist - we can't determine redaction status, so warn and prompt
+			warningMsg := buildRedactionWarning(
+				"⚠️  WARNING: The debug zip redaction status is unclear.\n")
+
+			return promptUserForConfirmation(warningMsg)
+		}
+		return fmt.Errorf("⚠️  error: the debug zip redaction status is unclear, err: %w", err)
+	}
+
+	flagsStr := string(flagsContent)
+
+	if strings.Contains(flagsStr, "--redact=true") {
+		return nil
+	}
+
+	var warningMsg string
+	if strings.Contains(flagsStr, "--redact=false") {
+		warningMsg = buildRedactionWarning(
+			"⚠️  WARNING: The debug zip was created WITHOUT redaction.\n",
+		)
+	} else {
+		warningMsg = buildRedactionWarning(
+			"⚠️  WARNING: The debug zip redaction status is unclear.\n",
+		)
+	}
+
+	return promptUserForConfirmation(warningMsg)
+}
+
 func runDebugZipUpload(cmd *cobra.Command, args []string) error {
 	runtime.GOMAXPROCS(system.NumCPU())
 
 	if err := validateZipUploadReadiness(); err != nil {
 		return err
 	}
 
+	// Check redaction status before proceeding with upload
+	if err := validateRedactionStatus(args[0]); err != nil {
+		return err
+	}
+
 	// a unique ID for this upload session. This should be used to tag all the artifacts uploaded in this session
 	uploadID := newUploadID(debugZipUploadOpts.clusterName, getCurrentTime())
 

pkg/cli/zip_upload_test.go

@@ -164,6 +164,11 @@ func TestUploadZipEndToEnd(t *testing.T) {
 
 	defer testutils.TestingHook(&gcsLogUpload, writeLogsToGCSHook)()
 
+	// Mock the interactive prompt to always accept (return nil) for end-to-end tests
+	defer testutils.TestingHook(&promptUserForConfirmation, func(warningMsg string) error {
+		return nil // Always accept in end-to-end tests
+	})()
+
 	datadriven.Walk(t, "testdata/upload", func(t *testing.T, path string) {
 		datadriven.RunTest(t, path, func(t *testing.T, d *datadriven.TestData) string {
 			c := NewCLITest(TestCLIParams{})
@@ -281,6 +286,127 @@ func TestAppendUserTags(t *testing.T) {
 	}
 }
 
+func TestValidateRedactionStatus(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+
+	tests := []struct {
+		name          string
+		flagsContent  string
+		fileExists    bool
+		dryRun        bool
+		expectError   bool
+		errorContains string
+		description   string
+	}{
+		{
+			name:         "redacted zip with other flags proceeds silently",
+			flagsContent: " --concurrency=15 --cpu-profile-duration=5s --files-from=2025-06-15 08:45:34 --redact=true --include-range-info=true",
+			fileExists:   true,
+			dryRun:       false,
+			expectError:  false,
+			description:  "When --redact=true is found, no warnings should be shown and upload proceeds",
+		},
+		{
+			name:          "missing file user declines",
+			flagsContent:  "",
+			fileExists:    false,
+			dryRun:        false,
+			expectError:   true,
+			errorContains: "upload aborted",
+			description:   "When file is missing and user declines, should return cancellation error",
+		},
+		{
+			name:          "missing file user accepts",
+			flagsContent:  "",
+			fileExists:    false,
+			dryRun:        false,
+			expectError:   false,
+			errorContains: "user accepts",
+			description:   "When file is missing and user accepts, should proceed without error",
+		},
+		{
+			name:          "unredacted zip user declines",
+			flagsContent:  " --concurrency=1 --redact=false --nodes=1",
+			fileExists:    true,
+			dryRun:        false,
+			expectError:   true,
+			errorContains: "upload aborted",
+			description:   "When --redact=false and user declines, should return cancellation error",
+		},
+		{
+			name:          "unredacted zip user accepts",
+			flagsContent:  " --concurrency=1 --redact=false --nodes=1",
+			fileExists:    true,
+			dryRun:        false,
+			expectError:   false,
+			errorContains: "user accepts",
+			description:   "When --redact=false and user accepts, should proceed without error",
+		},
+		{
+			name:          "unclear redaction status user declines",
+			flagsContent:  " --concurrency=1 --nodes=1",
+			fileExists:    true,
+			dryRun:        false,
+			expectError:   true,
+			errorContains: "upload aborted",
+			description:   "When no --redact flag and user declines, should return cancellation error",
+		},
+		{
+			name:          "unclear redaction status user accepts",
+			flagsContent:  " --concurrency=1 --nodes=1",
+			fileExists:    true,
+			dryRun:        false,
+			expectError:   false,
+			errorContains: "user accepts",
+			description:   "When no --redact flag and user accepts, should proceed without error",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+
+			if test.fileExists {
+				flagsFile := path.Join(tempDir, debugZipCommandFlagsFileName)
+				if err := os.WriteFile(flagsFile, []byte(test.flagsContent), 0644); err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			originalDryRun := debugZipUploadOpts.dryRun
+			debugZipUploadOpts.dryRun = test.dryRun
+			defer func() { debugZipUploadOpts.dryRun = originalDryRun }()
+
+			if test.errorContains == "upload aborted" || test.errorContains == "user accepts" {
+				originalPrompt := promptUserForConfirmation
+				switch test.errorContains {
+				case "upload aborted":
+					promptUserForConfirmation = func(warningMsg string) error {
+						require.Contains(t, warningMsg, "WARNING:")
+						return fmt.Errorf("upload aborted")
+					}
+				case "user accepts":
+					promptUserForConfirmation = func(warningMsg string) error {
+						require.Contains(t, warningMsg, "WARNING:")
+						return nil
+					}
+				}
+				defer func() { promptUserForConfirmation = originalPrompt }()
+			}
+
+			// Test validation
+			err := validateRedactionStatus(tempDir)
+
+			if test.expectError {
+				require.Error(t, err, fmt.Sprintf("Test case: %s", test.description))
+				require.Contains(t, err.Error(), test.errorContains, fmt.Sprintf("Test case: %s", test.description))
+			} else {
+				require.NoError(t, err, fmt.Sprintf("Test case: %s", test.description))
+			}
+		})
+	}
+}
+
 func TestZipUploadArtifactTypes(t *testing.T) {
 	defer leaktest.AfterTest(t)()