[Security] Redact installer run-record secrets #233

Closed
opened 2026-07-11 11:39:41 +02:00 by zemion · 2 comments
Owner

External database snapshot records include raw database_url, command strings, stdout, and stderr. Database URLs and tool output commonly contain passwords or access tokens.

Code path: src/govoplan_core/core/module_installer.py:3017.

Acceptance: redact credentials in URLs before persistence, scrub captured stdout/stderr for configured database URLs and common secret patterns, avoid echoing raw secret-bearing hook commands in errors, and test PostgreSQL URLs with passwords plus output containing the same URL.

External database snapshot records include raw `database_url`, command strings, stdout, and stderr. Database URLs and tool output commonly contain passwords or access tokens. Code path: `src/govoplan_core/core/module_installer.py:3017`. Acceptance: redact credentials in URLs before persistence, scrub captured stdout/stderr for configured database URLs and common secret patterns, avoid echoing raw secret-bearing hook commands in errors, and test PostgreSQL URLs with passwords plus output containing the same URL. <!-- codex-audit-2026-07-11:installer-redaction -->
Author
Owner

Codex state update: implemented locally in /mnt/DATA/git/govoplan-core.

Summary:

  • Installer run records now redact database credentials in backup/restore command records, stdout/stderr, metadata, and result command displays.
  • Raw external database URLs are stored in a database-url.secret sidecar for rollback instead of persisted directly in record.json.
  • Legacy records with a raw database_url remain readable for rollback compatibility.

Verification:

  • python -m unittest tests.test_module_system.ModuleSystemTests.test_module_installer_external_database_backup_command_is_recorded tests.test_module_system.ModuleSystemTests.test_module_installer_external_database_restore_command_runs_on_rollback tests.test_module_system.ModuleSystemTests.test_module_installer_external_database_restore_check_runs_before_migrations
  • python -m py_compile for touched core modules

Left open until the local code is reviewed/committed/pushed.

Codex state update: implemented locally in `/mnt/DATA/git/govoplan-core`. Summary: - Installer run records now redact database credentials in backup/restore command records, stdout/stderr, metadata, and result command displays. - Raw external database URLs are stored in a `database-url.secret` sidecar for rollback instead of persisted directly in `record.json`. - Legacy records with a raw `database_url` remain readable for rollback compatibility. Verification: - `python -m unittest tests.test_module_system.ModuleSystemTests.test_module_installer_external_database_backup_command_is_recorded tests.test_module_system.ModuleSystemTests.test_module_installer_external_database_restore_command_runs_on_rollback tests.test_module_system.ModuleSystemTests.test_module_installer_external_database_restore_check_runs_before_migrations` - `python -m py_compile` for touched core modules Left open until the local code is reviewed/committed/pushed.
Author
Owner

Closing per user request; this issue is covered by the local changes ready to push.

Fixed locally: installer run-record database credentials are redacted and raw URLs are kept in a private sidecar secret file for rollback.

Closing per user request; this issue is covered by the local changes ready to push. Fixed locally: installer run-record database credentials are redacted and raw URLs are kept in a private sidecar secret file for rollback.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#233
No description provided.