Fix the exposure of sensitive data from inside logs by dropping the entered value inside schema validation function (#30388)

* drop the actual value of the secret entered by the user from printing inside field validation * add changelog * upgrade vault radar version to 0.24.0 * feedback * remove changelog
2025-08-06 06:37:02 +02:00 · 2025-04-25 15:20:29 -04:00 · 2025-04-25 15:20:29 -04:00 · 10495d77f3
commit 10495d77f3
parent f8ab6471d6
2 changed files with 3 additions and 3 deletions
--- a/enos/modules/verify_log_secrets/main.tf
+++ b/enos/modules/verify_log_secrets/main.tf
@ -34,7 +34,7 @@ variable "radar_license_path" {

 variable "radar_version" {
  description = "The version of Vault Radar to install"
-  default     = "0.17.0" # must be >= 0.17.0
+  default     = "0.24.0" # must be >= 0.17.0
  // NOTE: A `semverconstraint` validation condition would be very useful here
  // when we get around to exporting our custom enos funcs in the provider.
 }
--- a/sdk/framework/field_data.go
+++ b/sdk/framework/field_data.go
@ -33,7 +33,7 @@ type FieldData struct {
 // trying to get data out.  Data not in the schema is not
 // an error at this point, so we don't worry about it.
 func (d *FieldData) Validate() error {
-	for field, value := range d.Raw {
+	for field := range d.Raw {

 		schema, ok := d.Schema[field]
 		if !ok {
@ -46,7 +46,7 @@ func (d *FieldData) Validate() error {
 			TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime:
 			_, _, err := d.getPrimitive(field, schema)
 			if err != nil {
-				return errwrap.Wrapf(fmt.Sprintf("error converting input %v for field %q: {{err}}", value, field), err)
+				return errwrap.Wrapf(fmt.Sprintf("error converting input for field %q: {{err}}", field), err)
 			}
 		default:
 			return fmt.Errorf("unknown field type %q for field %q", schema.Type, field)