Skip to content

fix: use exact key matching in report sanitize to prevent false redaction#2636

Open
saiashok0981 wants to merge 3 commits into
buildpacks:mainfrom
saiashok0981:fix/report-sanitize-exact-key-match
Open

fix: use exact key matching in report sanitize to prevent false redaction#2636
saiashok0981 wants to merge 3 commits into
buildpacks:mainfrom
saiashok0981:fix/report-sanitize-exact-key-match

Conversation

@saiashok0981

@saiashok0981 saiashok0981 commented Jun 17, 2026

Copy link
Copy Markdown

Problem

The sanitize() function in report.go protects sensitive values in pack report output by redacting quoted strings on matching TOML field lines. However, it uses strings.HasPrefix to detect field names, which causes false-positive matches on any key that merely starts with one of the sensitive names.

For example, the sensitive field list includes "image" and "name". A future config key such as "image-mirror = ..." or "name-prefix = ..." would unintentionally have its value redacted, because "image-mirror" has the prefix "image".

Additionally, the redaction regex ("(.*?)") is compiled fresh inside sanitize() on every line, even though it is a constant expression. Repeated compilation is wasteful when pack report processes a config file with many lines.

Fix

  • Replace the strings.HasPrefix check with a field-anchored regex that requires the match to be <field-name> followed immediately by optional whitespace and =. This ensures only the exact TOML key is matched, not keys that happen to share a prefix.
  • Pre-compile both the value-redaction regex and the field-match helper at package initialisation time so they are compiled exactly once.

The new pattern for each sensitive field is:
^<field>\s*=

This is consistent with TOML syntax, where key = value and key=value are both valid.

Signed-off-by: saiashok103@gmail.com

Summary

Output

Before

After

Documentation

  • Should this change be documented?
    • Yes, see #___
    • No

Related

Resolves #___

…tion

Problem
-------
The `sanitize()` function in `report.go` protects sensitive values in
`pack report` output by redacting quoted strings on matching TOML field
lines. However, it uses `strings.HasPrefix` to detect field names, which
causes false-positive matches on any key that merely *starts with* one of
the sensitive names.

For example, the sensitive field list includes "image" and "name".
A future config key such as "image-mirror = ..." or "name-prefix = ..."
would unintentionally have its value redacted, because "image-mirror"
has the prefix "image".

Additionally, the redaction regex (`"(.*?)"`) is compiled fresh inside
`sanitize()` on every line, even though it is a constant expression.
Repeated compilation is wasteful when `pack report` processes a config
file with many lines.

Fix
---
- Replace the `strings.HasPrefix` check with a field-anchored regex that
  requires the match to be `<field-name>` followed immediately by
  optional whitespace and `=`. This ensures only the exact TOML key is
  matched, not keys that happen to share a prefix.
- Pre-compile both the value-redaction regex and the field-match helper
  at package initialisation time so they are compiled exactly once.

The new pattern for each sensitive field is:
    `^<field>\s*=`

This is consistent with TOML syntax, where `key = value` and
`key=value` are both valid.

Signed-off-by: saiashok103@gmail.com
@saiashok0981
saiashok0981 requested review from a team as code owners June 17, 2026 18:01
@github-actions github-actions Bot added this to the 0.41.0 milestone Jun 17, 2026
@github-actions github-actions Bot added the type/enhancement Issue that requests a new feature or improvement. label Jun 17, 2026
@jjbustamante jjbustamante changed the title fix: use exact key matching in report sanitize to prevent false redac… fix: use exact key matching in report sanitize to prevent false redaction Jun 23, 2026

@jjbustamante jjbustamante left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @saiashok0981

Thanks for this contribution. Would you mind fixing the DCO check and also adding test coverage to reproduce the behavior? This looks like a bug, if the bug doesn't exist, you can also create it and link this PR to that fix

@kunalworldwide kunalworldwide left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switching from strings.HasPrefix to exact key matching prevents false redaction on fields like image-mirror or name-prefix, which is exactly the bug described. Pre-compiling the regex at package initialization is also a nice cleanup for the hot path.

One edge case to consider: the regex will match empty quoted values (""). That's fine for redaction, but does it handle escaped quotes inside values? TOML supports \" inside strings, and the current regex would stop at the escaped quote. Since pack report is meant for human-readable output, that's probably acceptable, but worth documenting if not handled.

LGTM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type/enhancement Issue that requests a new feature or improvement.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants