[CRED-2625] Redact ContextAccessToken in debug request dump#4098
Draft
luczhou wants to merge 1 commit into
Draft
[CRED-2625] Redact ContextAccessToken in debug request dump#4098luczhou wants to merge 1 commit into
luczhou wants to merge 1 commit into
Conversation
The debug-dump path at CallAPI() redacts api/app key values pulled from ContextAPIKeys before logging the captured request bytes. The Authorization header set from ContextAccessToken (delegated tokens, PATs) is dumped verbatim — any caller running with Cfg.Debug = true and access-token auth leaks the bearer to the global logger. This was surfaced by terraform-provider-datadog#3757, which is the first Terraform code path to set ContextAccessToken. With TF_LOG=DEBUG, the PAT would land in Terraform stderr, CI artifacts, and downstream log shippers. Extend the redaction block to also walk ContextAccessToken from the request context and ReplaceAll the token bytes with REDACTED. Apply the change to both the .j2 template and the generated client.go so the file matches what the next regen produces; latent bugs in the existing api-keys loop (missing regexp.QuoteMeta, no empty-key guard) are left for a follow-up PR to keep this one minimal. Test (tests/api/client_test.go:TestDebugDumpRedactsAccessToken) captures the global logger output, drives CallAPI with a ContextAccessToken-bearing context and a matching Authorization header, and asserts the token value does not appear in the dump and REDACTED does. Refs: CRED-2625, terraform-provider-datadog#3757 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The debug-dump path in
CallAPI()(api/datadog/client.go:171-184) redacts api/app key values pulled fromContextAPIKeysbefore logging the captured request bytes. TheAuthorizationheader set fromContextAccessToken(delegated tokens, PATs) is dumped verbatim — any caller running withCfg.Debug = trueand access-token auth leaks the bearer to the global logger.Surfaced by terraform-provider-datadog#3757, which is the first Terraform code path to set
ContextAccessToken. WithTF_LOG=DEBUG, the PAT would land in Terraform stderr, CI artifacts, and downstream log shippers — a self-contained bearer is full account-impersonating compromise until rotated.Tracking ticket: CRED-2625.
Changes
.generator/src/generator/templates/client.j2:175-189: extend the existing redaction block to also walkContextAccessTokenfrom the request context. Compile aregexp.QuoteMeta-escaped pattern from the token value andReplaceAllit withREDACTEDin the dump bytes.api/datadog/client.go: mirror the same edit in the generated file so the diff matches what the next regen produces.tests/api/client_test.go: addTestDebugDumpRedactsAccessToken— drivesCallAPIagainst anhttptest.ServerwithCfg.Debug = trueand aContextAccessToken-bearing context (plus a matchingAuthorizationheader to simulate whatPrepareRequestsets in production). Captures the global logger output and asserts the token value does not appear in the dump andREDACTEDdoes.Out of scope, left for follow-ups:
regexp.QuoteMeta, no empty-key guard). Keeping this PR minimal — happy to file a separate cleanup PR.client.go:192-200) has no redaction at all. Lower risk since responses rarely echo auth headers, but worth fixing in a follow-up.Cross-language
Related work tracked under CRED-2625:
datadog-api-client-typescriptPR: same fix shape (addAuthorizationto allowlist inisomorphic-fetch.ts:logRequest).datadog-api-client-rubyPR: same fix shape (addAuthorizationtosanitize_request_header'skeys_to_redact).datadog-api-client-javaGH issue: wider gap — JerseyLoggingFeature.PAYLOAD_ANYhas no header redaction at all, so api/app keys and bearer leak in debug mode. Tracked as an issue for api-platform guidance on the right shape.datadog-api-client-python: no equivalent gap (therest.j2debug path logs only response body, not request headers).Testing
go test ./tests/api/... -run TestDebugDumpRedactsAccessTokenpassestests/api/client_test.gosuite still passes (4 tests, all green)go build ./api/datadog/...clean🤖 Generated with Claude Code