Skip to content

Fix redaction leak from ssh_secret within checkout#4088

Open
JoeColeman95 wants to merge 3 commits into
mainfrom
SUP-7552/Fix-redaction
Open

Fix redaction leak from ssh_secret within checkout#4088
JoeColeman95 wants to merge 3 commits into
mainfrom
SUP-7552/Fix-redaction

Conversation

@JoeColeman95

Copy link
Copy Markdown
Contributor

Description

When a checkout uses ssh_secret, the fetched key is set as BUILDKITE_GIT_SSH_KEY in the job environment. That var is also an executor config var, so after any hook runs the executor logs it as a changed config value. That log line formats values with %q, which escapes the key's newlines into literal backslash n sequences.

Context

Linear

Reported via support. A customer's build log showed their SSH deploy key in plaintext after a global environment hook ran.

Changes

  • Redact known secrets from env change log values before %q formatting in applyEnvironmentChanges, via a new redactedValue helper
  • Add Mux.Needles to internal/replacer, returning the deduplicated needle set across replacers
  • Add a regression test mapping a multiline secret onto BUILDKITE_GIT_SSH_KEY with an environment hook present, plus unit tests for Mux.Needles

Testing

  • [ x ] Tests have run locally (with go test ./...). Buildkite employees may check this if the pipeline has run automatically.
  • [ x ] Code is formatted (with go tool gofumpt -extra -w .)

Affiliation (optional, external contributors)

Disclosures / Credits

Fable 5 traced the leak path for me and explained what was occurring, also wrote the secrets integration test so I could validate.

@JoeColeman95
JoeColeman95 requested review from a team as code owners July 15, 2026 14:59

@buildsworth-bk-app buildsworth-bk-app Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't find any code issues to raise. I'm leaving this as a comment rather than an approval because the change touches secret redaction/private-key handling, so it needs human review.

Want to dig deeper?

The full session log is attached to this Buildkite build. Download the session file and open a new pi session with it:

Download the buildsworth logs from build 5305, then answer my questions about the findings.

@JoeColeman95 JoeColeman95 changed the title Sup 7552/fix redaction Fix redaction leak from ssh_secret within checkout Jul 15, 2026

@buildsworth-bk-app buildsworth-bk-app Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't find any code issues to raise. I'm leaving this as a comment rather than an approval because the PR changes secret redaction/private-key handling, so it needs human review.

Want to dig deeper?

The full session log is attached to this Buildkite build. Download the session file and open a new pi session with it:

Download the buildsworth logs from build 5308, then answer my questions about the findings.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes under clicommand (to meta-data set-batch) seem totally unrelated?


var receivedBatch api.MetaDataBatch
server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
client := stubAPIClient(l, func(req *http.Request) (*http.Response, error) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't do this. Using httptest and having an actual network round-trip (even if it's the same host) makes the test more faithful than stubbing out the client.

@DrJosh9000 DrJosh9000 mentioned this pull request Jul 16, 2026
2 tasks
@DrJosh9000

Copy link
Copy Markdown
Contributor

I've taken a stab at an alternative in #4091

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants