Backport #5382 to 1.0.latest (#5414)

* Backport #5382 to 1.0.latest * Rm changelog entry for previous change * Satisfy old flake rules
dbt-labs · Jun 28, 2022 · 7b9ae20 · 7b9ae20
1 parent f1f0065
commit 7b9ae20
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 0 deletions.
diff --git a/.changes/unreleased/Under the Hood-20220616-120516.yaml b/.changes/unreleased/Under the Hood-20220616-120516.yaml
@@ -0,0 +1,7 @@
+kind: Under the Hood
+body: 'Add annotation to render_value method reimplemented in #5334'
+time: 2022-06-16T12:05:16.474078+02:00
+custom:
+  Author: jtcohen6
+  Issue: "4796"
+  PR: "5382"
diff --git a/.changie.yaml b/.changie.yaml
@@ -14,6 +14,7 @@ kinds:
 - label: Breaking Changes
 - label: Docs
 - label: Dependencies
+- label: Security
 custom:
 - key: Author
   label: GitHub Username(s) (separated by a single space if multiple)

diff --git a/core/dbt/config/renderer.py b/core/dbt/config/renderer.py
@@ -189,7 +189,14 @@ def name(self):
         return 'Secret'
 
     def render_value(self, value: Any, keypath: Optional[Keypath] = None) -> Any:
+        # First standard Jinja rendering with special handling for 'secret' environment variables
+        # "{{ env_var('DBT_SECRET_ENV_VAR') }}" ->
+        # "$$$DBT_SECRET_START$$$DBT_SECRET_ENV_{VARIABLE_NAME}$$$DBT_SECRET_END$$$"
+        # This prevents Jinja manipulation of secrets via macros/filters
+        # that might leak partial/modified values in logs
         rendered = super().render_value(value, keypath)
+        # Now, detect instances of the placeholder value ($$$DBT_SECRET_START...DBT_SECRET_END$$$)
+        # and replace them with the actual secret value
         if SECRET_ENV_PREFIX in str(rendered):
             search_group = f"({SECRET_ENV_PREFIX}(.*))"
             pattern = SECRET_PLACEHOLDER.format(search_group).replace("$", r"\$")

diff --git a/test/integration/013_context_var_tests/test_context_vars.py b/test/integration/013_context_var_tests/test_context_vars.py
@@ -251,6 +251,29 @@ def test_postgres_fail_clone_with_scrubbing(self):
         assert "abc123" not in str(exc.exception)
 
 
+class TestCloneFailSecretNotRendered(TestCloneFailSecretScrubbed):
+
+    @property
+    def packages_config(self):
+        return {
+            "packages": [
+                {
+                    "git": "https://fakeuser:{{ env_var('DBT_ENV_SECRET_GIT_TOKEN') | join(' ') }}@github.com/dbt-labs/fake-repo.git"
+                },
+            ]
+        }
+
+    @use_profile('postgres')
+    def test_postgres_fail_clone_with_scrubbing(self):
+        with self.assertRaises(dbt.exceptions.InternalException) as exc:
+            _, log_output = self.run_dbt_and_capture(["deps"])
+
+        # we should not see any manipulated form of the secret value (abc123) here
+        # we should see a manipulated form of the placeholder instead
+        assert "a b c 1 2 3" not in str(exc.exception)
+        assert "D B T _ E N V _ S E C R E T _ G I T _ T O K E N" in str(exc.exception)
+
+
 class TestEmitWarning(DBTIntegrationTest):
     @property
     def schema(self):