Sanitize credentials from snapshot repository URLs by arska · Pull Request #1174 · k8up-io/k8up

arska · 2026-03-22T22:12:17Z

Summary

REST backend repository URLs can contain credentials in the userinfo component (e.g. rest:https://user:pass@host/path). These were stored verbatim in Snapshot CRs and visible via kubectl get snapshot, exposing credentials to anyone with read access to the namespace.

Before

$ kubectl get snapshot
NAME       DATE TAKEN             PATHS   REPOSITORY
ed134283   2025-07-08T01:00:05Z   /data   rest:https://backup:secret@backup.example.com/repo

After

$ kubectl get snapshot
NAME       DATE TAKEN             PATHS   REPOSITORY
ed134283   2025-07-08T01:00:05Z   /data   rest:https://redacted:redacted@backup.example.com/repo

Only REST backends are affected — S3/Azure/Swift/B2/GCS backends don't include credentials in the repository URL.

Fixes #1077

Checklist

Commits are signed off
PR contains the label area:operator
I have not made any changes in the charts/ directory

Test plan

Added unit tests for URL sanitization (all backend types)
All existing snapshot tests pass

🤖 Generated with Claude Code

tobru

@Kidswiss Mind taking another look?

REST backend repository URLs can contain credentials in the userinfo component (e.g. rest:https://user:pass@host/path). These were stored verbatim in Snapshot CRs and visible via kubectl get snapshot, exposing credentials to anyone with read access to the namespace. Add sanitizeRepositoryURL() that replaces userinfo with "redacted" before storing in the Snapshot spec. This only affects REST backends — S3/Azure/Swift/B2/GCS backends don't include credentials in the repository URL. Fixes #1077 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Aarno Aukia <aarno.aukia@vshn.ch>

bastjan · 2026-03-25T09:51:20Z

+	if idx := strings.Index(repo, ":"); idx > 0 {
+		candidate := repo[:idx]
+		// Check if it looks like a restic scheme (not a Windows drive letter or URL scheme)
+		if candidate == "rest" || candidate == "s3" || candidate == "azure" || candidate == "swift" || candidate == "b2" || candidate == "gs" {
+			prefix = repo[:idx+1]
+			rest = repo[idx+1:]
+		}
+	}


Suggested change

if idx := strings.Index(repo, ":"); idx > 0 {

candidate := repo[:idx]

// Check if it looks like a restic scheme (not a Windows drive letter or URL scheme)

if candidate == "rest" || candidate == "s3" || candidate == "azure" || candidate == "swift" || candidate == "b2" || candidate == "gs" {

prefix = repo[:idx+1]

rest = repo[idx+1:]

}

}

if candidate, after, found := strings.Cut(repo, ":"); found {

// Check if it looks like a restic scheme (not a Windows drive letter or URL scheme)

if candidate == "rest" || candidate == "s3" || candidate == "azure" || candidate == "swift" || candidate == "b2" || candidate == "gs" {

prefix = candidate + ":"

rest = after

}

}

Much easier to understand IMO.

bastjan · 2026-03-25T09:52:47Z

+		"local path": {
+			input:    "/tmp/restic-repo",
+			expected: "/tmp/restic-repo",
+		},


Suggested change

},

},

"scheme only": {

input: "s3:",

expected: "s3:",

},

"windows drive letter": {

input: "C:\\path\\to\\repo",

expected: "C:\\path\\to\\repo",

},

"url scheme": {

input: "http://example.com/repo",

expected: "http://example.com/repo",

},

We probably should test what was written in the comment.

Kidswiss

Please implement bastjan's suggestions.

arska requested a review from a team as a code owner March 22, 2026 22:12

arska added bug Something isn't working area:operator labels Mar 22, 2026

arska requested review from Kidswiss and lieneluksika and removed request for a team March 22, 2026 22:12

arska self-assigned this Mar 22, 2026

arska added bug Something isn't working area:operator labels Mar 22, 2026

tobru approved these changes Mar 23, 2026

View reviewed changes

arska force-pushed the fix/sanitize-snapshot-repo-url-1077 branch from f5f0306 to 8d5cbdb Compare March 23, 2026 11:58

arska removed the request for review from lieneluksika March 23, 2026 12:41

arska force-pushed the fix/sanitize-snapshot-repo-url-1077 branch from 8d5cbdb to aff1e1d Compare March 23, 2026 13:41

arska force-pushed the fix/sanitize-snapshot-repo-url-1077 branch from aff1e1d to 498d8c5 Compare March 23, 2026 13:57

bastjan reviewed Mar 25, 2026

View reviewed changes

Kidswiss requested changes Mar 27, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sanitize credentials from snapshot repository URLs#1174

Sanitize credentials from snapshot repository URLs#1174
arska wants to merge 1 commit intomasterfrom
fix/sanitize-snapshot-repo-url-1077

arska commented Mar 22, 2026

Uh oh!

tobru left a comment

Uh oh!

bastjan Mar 25, 2026 •

edited

Loading

Uh oh!

bastjan Mar 25, 2026

Uh oh!

Kidswiss left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

-		},
+		},
+		"scheme only": {
+			input:    "s3:",
+			expected: "s3:",
+		},
+		"windows drive letter": {
+			input:    "C:\\path\\to\\repo",
+			expected: "C:\\path\\to\\repo",
+		},
+		"url scheme": {
+			input:    "http://example.com/repo",
+			expected: "http://example.com/repo",
+		},

Conversation

arska commented Mar 22, 2026

Summary

Before

After

Checklist

Test plan

Uh oh!

tobru left a comment

Choose a reason for hiding this comment

Uh oh!

bastjan Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

bastjan Mar 25, 2026

Choose a reason for hiding this comment

Uh oh!

Kidswiss left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

bastjan Mar 25, 2026 •

edited

Loading