From 253856231a5b02d9bd9a9fb754f9fdb38ee11d97 Mon Sep 17 00:00:00 2001
From: Saswata Mukherjee <saswataminsta@yahoo.com>
Date: Thu, 23 May 2024 10:34:06 +0100
Subject: [PATCH] *: Ensure objstore flag values are masked & disable
 debug/pprof/cmdline (#7382)

* *: Ensure objstore flag values are masked & disable debug/pprof/cmdline

Signed-off-by: Saswata Mukherjee <saswataminsta@yahoo.com>

* small fix

Signed-off-by: Saswata Mukherjee <saswataminsta@yahoo.com>

---------

Signed-off-by: Saswata Mukherjee <saswataminsta@yahoo.com>
---
 CHANGELOG.md            | 1 +
 cmd/thanos/main.go      | 5 +++++
 pkg/server/http/http.go | 1 -
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 84baf75f81..842c8365dd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,7 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re
 ### Changed
 
 - [#7334](https://github.com/thanos-io/thanos/pull/7334) Compactor: do not vertically compact downsampled blocks. Such cases are now marked with `no-compact-mark.json`. Fixes panic `panic: unexpected seriesToChunkEncoder lack of iterations`.
+- [#7382](https://github.com/thanos-io/thanos/pull/7382) *: Ensure objstore flag values are masked & disable debug/pprof/cmdline
 
 ### Removed
 
diff --git a/cmd/thanos/main.go b/cmd/thanos/main.go
index 892c9824e1..a29d702d0d 100644
--- a/cmd/thanos/main.go
+++ b/cmd/thanos/main.go
@@ -214,6 +214,11 @@ func getFlagsMap(flags []*kingpin.FlagModel) map[string]string {
 		if boilerplateFlags.GetFlag(f.Name) != nil {
 			continue
 		}
+		// Mask inline objstore flag which can have credentials.
+		if f.Name == "objstore.config" || f.Name == "objstore.config-file" {
+			flagsMap[f.Name] = "<REDACTED>"
+			continue
+		}
 		flagsMap[f.Name] = f.Value.String()
 	}
 
diff --git a/pkg/server/http/http.go b/pkg/server/http/http.go
index 795d6c4fdb..fc92100e3f 100644
--- a/pkg/server/http/http.go
+++ b/pkg/server/http/http.go
@@ -117,7 +117,6 @@ func (s *Server) Handle(pattern string, handler http.Handler) {
 
 func registerProfiler(mux *http.ServeMux) {
 	mux.HandleFunc("/debug/pprof/", pprof.Index)
-	mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
 	mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
 	mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
 	mux.HandleFunc("/debug/pprof/trace", pprof.Trace)