Avoid logging keyvault secrets (#883)

einarmo · web-flow · commit 8bd05bbb0347 · 2025-10-29T08:27:31.000+01:00
This was quite unfortunate. To cover future scenarios, I just completely
ignore `Secret` now.
diff --git a/Extractor/Utils/ExtractorUtils.cs b/Extractor/Utils/ExtractorUtils.cs
@@ -494,7 +494,10 @@ public static string ConfigToString(FullConfig config)
         {
             return ConfigurationUtils.ConfigToString(config,
                 Enumerable.Empty<string>(),
-                new[] { "ConfigDir", "BaseExcludeProperties", "IdpAuthentication", "ApiKey", "Password" },
+                new[] {
+                    "ConfigDir", "BaseExcludeProperties", "IdpAuthentication",
+                    "ApiKey", "Password", "KeyVault", "Secret"
+                },
                 new[] { "Cognite" },
                 false);
         }
diff --git a/manifest.yml b/manifest.yml
@@ -67,6 +67,11 @@ schema:
    - "https://raw.githubusercontent.com/"
 
 versions:
+  "2.40.1":
+    description: Avoid logging keyvault secrets.
+    changelog:
+      security:
+        - Avoid logging keyvault secrets when running the extractor in debug mode.
   "2.40.0":
     description: Improve state restoration handling with retry logic.
     changelog:

Original file line number	Diff line number	Diff line change
`@@ -494,7 +494,10 @@ public static string ConfigToString(FullConfig config)`
`494`	`494`	`{`
`495`	`495`	`return ConfigurationUtils.ConfigToString(config,`
`496`	`496`	`Enumerable.Empty<string>(),`
`497`		`- new[] { "ConfigDir", "BaseExcludeProperties", "IdpAuthentication", "ApiKey", "Password" },`
	`497`	`+ new[] {`
	`498`	`+ "ConfigDir", "BaseExcludeProperties", "IdpAuthentication",`
	`499`	`+ "ApiKey", "Password", "KeyVault", "Secret"`
	`500`	`+ },`
`498`	`501`	`new[] { "Cognite" },`
`499`	`502`	`false);`
`500`	`503`	`}`