Skip to content

Apply redactions to snapshot metadata #813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 3, 2025
Merged

Apply redactions to snapshot metadata #813

merged 4 commits into from
Nov 3, 2025

Conversation

@max-sixty
Copy link
Collaborator

@max-sixty max-sixty commented Oct 30, 2025

Summary

This PR implements consistent redaction behavior for both snapshot content and metadata, addressing a long-standing inconsistency where Settings.add_redaction() worked for snapshot content but not for metadata set via Settings.set_info().

Problem

Previously, redactions were only applied to snapshot content during serialization, not to metadata. This created surprising behavior for users of libraries like insta-cmd that capture sensitive data (API keys, credentials, etc.) in snapshot metadata.

Before this change:

---
info:
  env:
    API_KEY: sk_live_abc123def456  # ⚠️ Secret exposed!
---
content here

After this change:

---
info:
  env:
    API_KEY: "[REDACTED]"  # ✅ Redacted
---
content here

Implementation

Core Changes

  1. Created shared redaction helper (Redactions::apply_to_content())

    • Eliminates code duplication between metadata and content redaction
    • Both paths now use identical redaction logic

  2. Modified ActualSettings::info() to apply redactions to metadata

    • Metadata is redacted eagerly when set (prevents sensitive data in memory)
    • Content is still redacted lazily during serialization

  3. Updated documentation

    • set_info(): Documents that redactions are automatically applied
    • set_raw_info(): Documents that it does NOT apply redactions (low-level API)

Test Coverage

Added two tests documenting the behavior:

  • test_metadata_redaction: Validates set_info() applies redactions
  • test_metadata_raw_info_no_redaction: Validates set_raw_info() does not

Snapshots clearly show the difference:

--- set_info() snapshot
+++ set_raw_info() snapshot
 info:
-  secret: "[REDACTED]"
+  secret: sensitive_value

Benefits

  1. Security: Easier to prevent secrets in snapshots
  2. Consistency: Redactions work the same everywhere
  3. User expectations: add_redaction() now applies to all serialized data
  4. Minimal change: ~30 lines of implementation code

Breaking Changes

Low impact: Existing snapshots with sensitive data in metadata will change (values will become redacted). This is the intended behavior and improves security.

Migration: Users can either:

  • Update snapshots (recommended - secrets should be redacted)
  • Remove specific redactions if certain metadata values must be preserved
  • Use set_raw_info() for the low-level API that bypasses redactions

Testing

  • ✅ All 164 tests pass (added 2 new tests)
  • ✅ All lints pass (pre-commit)
  • ✅ No compiler warnings
  • ✅ Snapshot tests validate both redaction and non-redaction behavior

Related

Addresses the use case described in the proposal where libraries like insta-cmd need to redact environment variables captured in metadata.

🤖 Generated with Claude Code

max-sixty and others added 4 commits October 30, 2025 15:18
@max-sixty @claude
Apply redactions to snapshot metadata consistently
7410a5c 
Previously, redactions configured via `Settings.add_redaction()` were only
applied to snapshot content during serialization, but not to metadata set
via `Settings.set_info()`. This created surprising behavior where sensitive
data in metadata (like environment variables captured by insta-cmd) couldn't
be redacted.

This change makes redaction behavior consistent:
- Created shared `Redactions::apply_to_content()` helper
- Modified `ActualSettings::info()` to apply redactions to metadata
- Updated `serialize_content()` to use the shared helper
- Added documentation clarifying the behavior difference between
  `set_info()` (applies redactions) and `set_raw_info()` (does not)
- Added tests validating both behaviors

Metadata is redacted eagerly when set (to prevent sensitive data from
persisting in memory), while snapshot content is redacted lazily during
serialization. This design ensures sensitive data is handled securely.

Fixes the issue described in issue.md where users of insta-cmd and similar
libraries cannot redact sensitive metadata like API keys and credentials.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@max-sixty @claude
Fix: Only mark content mutable when redactions feature is enabled
8575ee3 
The previous implementation marked `content` as mutable unconditionally,
but it's only mutated when the `redactions` feature is enabled. This
caused compiler warnings when building without the feature.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@max-sixty @claude
Simplify: Use variable shadowing for cleaner conditional compilation
2350086 
Instead of duplicating the serialization line and using mut/non-mut variants,
use variable shadowing to conditionally apply redactions. This is cleaner and
more idiomatic Rust.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@max-sixty @claude
Fix: Gate metadata redaction tests on both yaml and redactions features
c98e0d9 
The tests call add_redaction() which requires the redactions feature, not
just yaml. Use #[cfg(all(feature = "yaml", feature = "redactions"))] to
ensure tests only compile when both features are enabled.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@max-sixty
Copy link
Collaborator Author

max-sixty commented Nov 1, 2025
edited
Loading

@mitsuhiko lmk if you have any thoughts here, otherwise I'll likely merge. it's quite helpful to be able to redact for insta-cmd (though open if a different interface makes sense)

+ ofc open to feedback from others

@max-sixty max-sixty merged commit 7de4930 into mitsuhiko:master Nov 3, 2025
15 checks passed
@max-sixty max-sixty mentioned this pull request Nov 20, 2025
Merged
max-sixty added a commit that referenced this pull request Nov 20, 2025
@max-sixty @claude
Prepare release 1.44.0 (#820)
5da894d 
## Summary

Prepare for the 1.44.0 release:

- Bump version to 1.44.0 in `insta/Cargo.toml` and
`cargo-insta/Cargo.toml`
- Update CHANGELOG.md with all changes since 1.43.2

## Changes in 1.44.0

- Added non-interactive snapshot review and reject modes for use in
non-TTY environments (LLMs, CI pipelines, scripts) #815
- Add `--disable-nextest-doctest` flag with deprecation warning #803
- Add ergonomic `--test-runner-fallback` / `--no-test-runner-fallback`
flags #811
- Apply redactions to snapshot metadata #813
- Remove confusing 'previously unseen snapshot' message #812
- Speed up JSON float rendering #806 (@nyurik)
- Allow globset version up to 0.4.16 #810 (@g0hl1n)
- Improve documentation #814 (@tshepang)
- Enforce starting newlines in assertions #563

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>
@max-sixty max-sixty deleted the metadata branch November 20, 2025 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@max-sixty