From bb030c9330641100cae32baf6c7d2039837ec36e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maximilian=20Ga=C3=9F?= Date: Mon, 26 Feb 2024 14:15:52 +0100 Subject: [PATCH] fix: disable hiding of Sensitive params if octocatalog-diff has access to them, then the user running it also has. showing them is no security issue. But not showing them is a problem when refactoring code to use Sensitive, because you don't see if you accidentally introduced other changes - for example forgetting an `unwrap` somewhere. --- lib/octocatalog-diff/catalog-diff/differ.rb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/lib/octocatalog-diff/catalog-diff/differ.rb b/lib/octocatalog-diff/catalog-diff/differ.rb index 3d959fa0..dd44e1ea 100644 --- a/lib/octocatalog-diff/catalog-diff/differ.rb +++ b/lib/octocatalog-diff/catalog-diff/differ.rb @@ -468,13 +468,6 @@ def ignored?(diff) def cleanse_parameters_hash(parameters_hash, sensitive_parameters) result = parameters_hash.dup - # hides sensitive params. We still need to know if there's a going to - # be a diff, so we hash the value. - sensitive_parameters.each do |p| - md5 = Digest::MD5.hexdigest Marshal.dump(result[p]) - result[p] = 'Sensitive [md5sum ' + md5 + ']' - end - # 'before' and 'require' handle internal Puppet ordering but do not affect what # happens on the target machine. Don't consider these for the purpose of catalog diff. result.delete('before')