`filterSensitiveInformation` fails to redact multiline values

[nafisat2]

What happened?

filterSensitiveInformation fails to redact multiline string values (PEM private keys, passwords, certificates) from Terraform diagnostic output.

upjet/pkg/terraform/store.go

Lines 327 to 334 in a4d9eb9

	func (ts Setup) filterSensitiveInformation(s string) string {
	for _, v := range ts.Configuration {
	if str, ok := v.(string); ok && str != "" {
	s = strings.ReplaceAll(s, str, "REDACTED")
	}
	}
	return s
	}

The filter value is the raw Go string however, Terraform's diagnostic output is JSON. The sensitive value goes through two levels of JSON encoding before reaching the filter:

1. upjet writes ps.Configuration to main.tf.json (1st encoding: real \n -> \\n in JSON source)
2. Terraform outputs diagnostics with main.tf.json content embedded in a snippet.code field (2nd encoding: \\n -> \\\\n)

The raw subprocess output therefore contains \\n where the filter value has \n. strings.ReplaceAll finds no match and the sensitive value is logged in plaintext.

How can we reproduce it?

Using any upjet-based provider that puts a PEM private key in ps.Configuration e.g. provider-okta

Expected: all values in ps.Configuration appear as REDACTED in Terraform diagnostic log output.

Actual: base_url, client_id, org_name are redacted; private_key appears in plaintext in the snippet.code field of diagnostic output:

\\\"client_id\\\":\\\"REDACTED\\\",\\\"org_name\\\":\\\"REDACTED\\\",\\\"private_key\\\":\\\"-----BEGIN PRIVATE KEY-----\\\\n...

References

• Provider secrets leak to debug logs if the provider has secrets that are not string-valued and set at the provider block root level #280