fix: Redact IPv6 addresses in "dial tcp" errors (#1075)

client/errors.go

@@ -15,6 +15,10 @@ import (
 const ssoInvalidOrExpired = "failed to refresh cached credentials, the SSO session has expired or is invalid"
 
 var (
+	ipv4Regex          = `\d+\.\d+\.\d+\.\d+`
+	ipv6Regex          = `(?:(?:[a-fA-F0-9]{0,4}:)){2,7}[a-fA-F0-9]{0,4}`
+	bracketedIpv6Regex = fmt.Sprintf(`\[%s\]`, ipv6Regex)
+
 	requestIdRegex = regexp.MustCompile(`\s([Rr]equest[ _]{0,1}(ID|Id|id):)\s[A-Za-z0-9-]+`)
 	hostIdRegex    = regexp.MustCompile(`\sHostID: [A-Za-z0-9+/_=-]+`)
 	arnIdRegex     = regexp.MustCompile(`(\s)(arn:aws[A-Za-z0-9-]*:)[^ \.\(\)\[\]\{\}\;\,]+(\s?)`)
@@ -27,7 +31,10 @@ var (
 		`\bread\s(udp|tcp)\s` + // "read udp "
 			`\S+:\d+->\S+:\d+`, // "192.168.1.2:5353->192.168.1.1:53"
 	)
-	dialRegex              = regexp.MustCompile(`(\sdial\s)(tcp|udp)(\s)([0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}:[0-9]{1,5})(:.+?)`)
+	dialRegex = regexp.MustCompile(
+		`\bdial\s(tcp|udp)\s` + // "dial tcp "
+			fmt.Sprintf(`(?:%s|%s):\d+`, ipv4Regex, bracketedIpv6Regex), // "192.168.1.2:123" or "[::1]:123"
+	)
 	encAuthRegex           = regexp.MustCompile(`(\s)(Encoded authorization failure message:)\s[A-Za-z0-9_-]+`)
 	userRegex              = regexp.MustCompile(`(\s)(is not authorized to perform: .+ on resource:\s)(user)\s.+`)
 	s3Regex                = regexp.MustCompile(`(\s)(S3(Key|Bucket))=(.+?)([,;\s])`)
@@ -244,7 +251,7 @@ func removePII(aa []string, msg string) string {
 	msg = urlRegex.ReplaceAllString(msg, "${1}http${2}://xxxx${3}")
 	msg = lookupRegex.ReplaceAllString(msg, "lookup xxxx on xxxx:xx")
 	msg = readXonYRegex.ReplaceAllString(msg, "read $1 xxxx:xx->xxxx:xx")
-	msg = dialRegex.ReplaceAllString(msg, "${1}${2}${3}xxxx${5}")
+	msg = dialRegex.ReplaceAllString(msg, "dial $1 xxxx:xx")
 	msg = encAuthRegex.ReplaceAllString(msg, "${1}${2} xxxx")
 	msg = userRegex.ReplaceAllString(msg, "${1}${2}${3} xxxx")
 	msg = s3Regex.ReplaceAllString(msg, "${1}${2}=xxxx${5}")

client/errors_test.go

@@ -45,7 +45,11 @@ func TestRemovePII(t *testing.T) {
 		},
 		{
 			"operation error Direct Connect: DescribeVirtualInterfaces, exceeded maximum number of attempts, 10, https response error StatusCode: 0, RequestID: , request send failed, Post \"https://logs.eu-central-1.amazonaws.com/\": dial tcp 177.72.244.112:443: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.",
-			"operation error Direct Connect: DescribeVirtualInterfaces, exceeded maximum number of attempts, 10, https response error StatusCode: 0, RequestID: , request send failed, Post \"https://xxxx\": dial tcp xxxx: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.",
+			"operation error Direct Connect: DescribeVirtualInterfaces, exceeded maximum number of attempts, 10, https response error StatusCode: 0, RequestID: , request send failed, Post \"https://xxxx\": dial tcp xxxx:xx: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.",
+		},
+		{
+			`operation error Cognito Identity Provider: ListUserPools, exceeded maximum number of attempts, 10, https response error StatusCode: 0, RequestID: , request send failed, Post "https://cognito-idp.us-west-2.amazonaws.com/": dial tcp [2600:1f14:917:5700:4845:5c16:891b:7127]:443: connect: network is unreachable`,
+			`operation error Cognito Identity Provider: ListUserPools, exceeded maximum number of attempts, 10, https response error StatusCode: 0, RequestID: , request send failed, Post "https://xxxx": dial tcp xxxx:xx: connect: network is unreachable`,
 		},
 		{
 			"operation error EC2: DescribeSnapshotAttribute, https response error StatusCode: 400, RequestID: xxxx, api error InvalidSnapshot.NotFound: The snapshot 'snap-11111111111111111' does not exist.",