sec: bump go and xrepos + redact aws tokens in url (#604)

dduzgun-security · web-flow · commit c56e01f2902a · 2026-03-10T11:00:06.000-04:00
* sec: bump go and xrepos + redact aws tokens in url

* go mod to 1.25.8 instead

* go versions on the ci
diff --git a/.github/workflows/go-getter.yml b/.github/workflows/go-getter.yml
@@ -17,8 +17,8 @@ jobs:
     strategy:
       matrix:
         go-version:
-          - "1.24"
-          - "1.25"
+          - "1.25.8"
+          - "1.26.1"
     steps:
       - name: Setup go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
@@ -62,8 +62,8 @@ jobs:
     strategy:
       matrix:
         go-version:
-          - "1.24"
-          - "1.25"
+          - "1.25.8"
+          - "1.26.1"
     steps:
       - name: Run git config # Windows-only
         run: git config --global core.autocrlf false
@@ -111,8 +111,8 @@ jobs:
     strategy:
       matrix:
         go-version:
-          - "1.24"
-          - "1.25"
+          - "1.25.8"
+          - "1.26.1"
         arch:
           - "386"      # 32-bit x86
           - "arm"      # 32-bit ARM
@@ -164,7 +164,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
-          go-version: "1.25" # Use latest for linting
+          go-version: "1.25.8" # Use latest for linting
       
       - name: Setup cache for go modules
         uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
@@ -190,8 +190,8 @@ jobs:
     strategy:
       matrix:
         go-version:
-          - "1.24"
-          - "1.25"
+          - "1.25.8"
+          - "1.26.1"
     permissions:
       id-token: write
       contents: read
@@ -257,8 +257,8 @@ jobs:
     strategy:
       matrix:
         go-version:
-          - "1.24"
-          - "1.25"
+          - "1.25.8"
+          - "1.26.1"
     permissions:
       id-token: write
       contents: read
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.24.6
+1.25.8
diff --git a/go.mod b/go.mod
@@ -15,8 +15,8 @@ require (
 	github.com/klauspost/compress v1.18.4
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/ulikunitz/xz v0.5.15
-	golang.org/x/oauth2 v0.35.0
-	golang.org/x/sys v0.41.0
+	golang.org/x/oauth2 v0.36.0
+	golang.org/x/sys v0.42.0
 	google.golang.org/api v0.267.0
 )
 
@@ -69,11 +69,11 @@ require (
 	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
 	go.opentelemetry.io/otel/trace v1.40.0 // indirect
-	golang.org/x/crypto v0.47.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/text v0.33.0 // indirect
-	golang.org/x/time v0.14.0 // indirect
+	golang.org/x/crypto v0.48.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/time v0.15.0 // indirect
 	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
@@ -82,4 +82,4 @@ require (
 	gopkg.in/cheggaaa/pb.v1 v1.0.27 // indirect
 )
 
-go 1.24.6
+go 1.25.8
diff --git a/go.sum b/go.sum
@@ -155,20 +155,20 @@ go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4A
 go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
 go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
 go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
-golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
-golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
-golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
-golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/api v0.267.0 h1:w+vfWPMPYeRs8qH1aYYsFX68jMls5acWl/jocfLomwE=
diff --git a/url.go b/url.go
@@ -5,11 +5,21 @@ package getter
 
 import "net/url"
 
+// redactedParams is the list of URL query parameter names whose values are
+// sensitive and must be replaced with "redacted" in error messages and logs.
+var redactedParams = []string{
+	"sshkey",
+	"aws_access_key_id",
+	"aws_access_key_secret",
+	"aws_access_token",
+}
+
 // RedactURL is a port of url.Redacted from the standard library,
 // which is like url.String but replaces any password with "redacted".
 // Only the password in u.URL is redacted. This allows the library
 // to maintain compatibility with go1.14.
-// This port was also extended to redact all "sshkey" from URL query parameter
+// This port was also extended to redact sensitive URL query parameters
+// (sshkey, aws_access_key_id, aws_access_key_secret, aws_access_token)
 // and replace them with "redacted".
 func RedactURL(u *url.URL) string {
 	if u == nil {
@@ -21,11 +31,17 @@ func RedactURL(u *url.URL) string {
 		ru.User = url.UserPassword(ru.User.Username(), "redacted")
 	}
 	q := ru.Query()
-	if q.Has("sshkey") {
-		values := q["sshkey"]
-		for i := range values {
-			values[i] = "redacted"
+	modified := false
+	for _, param := range redactedParams {
+		if q.Has(param) {
+			values := q[param]
+			for i := range values {
+				values[i] = "redacted"
+			}
+			modified = true
 		}
+	}
+	if modified {
 		ru.RawQuery = q.Encode()
 	}
 	return ru.String()
diff --git a/url_test.go b/url_test.go
@@ -129,6 +129,56 @@ func TestRedactURL(t *testing.T) {
 			},
 			want: "ssh://git@github.com/hashicorp/go-getter-test-private.git?sshkey=redacted&sshkey=redacted",
 		},
+		{
+			name: "S3 URL with aws_access_key_id",
+			url: &url.URL{
+				Scheme:   "s3",
+				Host:     "bucket.s3.amazonaws.com",
+				Path:     "/key",
+				RawQuery: "aws_access_key_id=AKIAIOSFODNN7EXAMPLE",
+			},
+			want: "s3://bucket.s3.amazonaws.com/key?aws_access_key_id=redacted",
+		},
+		{
+			name: "S3 URL with aws_access_key_secret",
+			url: &url.URL{
+				Scheme:   "s3",
+				Host:     "bucket.s3.amazonaws.com",
+				Path:     "/key",
+				RawQuery: "aws_access_key_secret=wJalrXUtnFEMI%2FK7MDENG%2FbPxRfiCYEXAMPLEKEY",
+			},
+			want: "s3://bucket.s3.amazonaws.com/key?aws_access_key_secret=redacted",
+		},
+		{
+			name: "S3 URL with aws_access_token",
+			url: &url.URL{
+				Scheme:   "s3",
+				Host:     "bucket.s3.amazonaws.com",
+				Path:     "/key",
+				RawQuery: "aws_access_token=AQoXnyc4lcK4w",
+			},
+			want: "s3://bucket.s3.amazonaws.com/key?aws_access_token=redacted",
+		},
+		{
+			name: "S3 URL with all three AWS credential params",
+			url: &url.URL{
+				Scheme:   "s3",
+				Host:     "bucket.s3.amazonaws.com",
+				Path:     "/key",
+				RawQuery: "aws_access_key_id=AKID&aws_access_key_secret=SECRET&aws_access_token=TOKEN",
+			},
+			want: "s3://bucket.s3.amazonaws.com/key?aws_access_key_id=redacted&aws_access_key_secret=redacted&aws_access_token=redacted",
+		},
+		{
+			name: "S3 URL with AWS credentials and non-sensitive params preserved",
+			url: &url.URL{
+				Scheme:   "s3",
+				Host:     "bucket.s3.amazonaws.com",
+				Path:     "/key",
+				RawQuery: "aws_access_key_id=AKID&aws_access_key_secret=SECRET&region=us-east-1",
+			},
+			want: "s3://bucket.s3.amazonaws.com/key?aws_access_key_id=redacted&aws_access_key_secret=redacted&region=us-east-1",
+		},
 	}
 
 	for _, tt := range cases {
