Strip secret values

Emyrk · Emyrk · commit 37484309472f · 2023-09-28T15:59:10.000-05:00
diff --git a/cli/server.go b/cli/server.go
@@ -617,7 +617,10 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				MetricsCacheRefreshInterval: vals.MetricsCacheRefreshInterval.Value(),
 				AgentStatsRefreshInterval:   vals.AgentStatRefreshInterval.Value(),
 				DeploymentValues:            vals,
-				DeploymentOptions:           opts,
+				// Do not pass secret values to DeploymentOptions. All values should be read from
+				// the DeploymentValues instead, this just serves to indicate the source of each
+				// option. This is just defensive to prevent accidentally leaking.
+				DeploymentOptions:           codersdk.DeploymentOptionsWithoutSecrets(opts),
 				PrometheusRegistry:          prometheus.NewRegistry(),
 				APIRateLimit:                int(vals.RateLimit.API.Value()),
 				LoginRateLimit:              loginRateLimit,
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -156,6 +156,7 @@ type Options struct {
 	// DeploymentOptions do contain the copy of DeploymentValues, but contain
 	// contextual information about how the values were set.
 	// Do not use DeploymentOptions to retrieve values, use DeploymentValues instead.
+	// All secrets values are stripped.
 	DeploymentOptions  clibase.OptionSet
 	UpdateCheckOptions *updatecheck.Options // Set non-nil to enable update checking.
 
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -1762,6 +1762,20 @@ type LinkConfig struct {
 	Icon   string `json:"icon" yaml:"icon"`
 }
 
+// DeploymentOptionsWithoutSecrets returns a copy of the OptionSet with secret values omitted.
+func DeploymentOptionsWithoutSecrets(set clibase.OptionSet) clibase.OptionSet {
+	cpy := make(clibase.OptionSet, 0, len(set))
+	for _, opt := range set {
+		cpyOpt := opt
+		if IsSecretDeploymentOption(cpyOpt) {
+			var empty clibase.String
+			cpyOpt.Value = &empty
+		}
+		cpy = append(cpy, cpyOpt)
+	}
+	return cpy
+}
+
 // WithoutSecrets returns a copy of the config without secret values.
 func (c *DeploymentValues) WithoutSecrets() (*DeploymentValues, error) {
 	var ff DeploymentValues
