From 4b489b513767d824bb3f70769285caf68cb895eb Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 27 Feb 2026 01:33:24 +0000 Subject: [PATCH 1/2] Mask Cloudflare API token in logs The Cloudflare API token was previously logged in cleartext when the log verbosity was set to 3 or higher. This commit masks the token in the log message to prevent sensitive information disclosure. Fixes: security vulnerability where API token is logged Co-authored-by: STRRL <20221408+STRRL@users.noreply.github.com> --- cmd/cloudflare-tunnel-ingress-controller/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/cloudflare-tunnel-ingress-controller/main.go b/cmd/cloudflare-tunnel-ingress-controller/main.go index 2f1ae0f..da3ba79 100644 --- a/cmd/cloudflare-tunnel-ingress-controller/main.go +++ b/cmd/cloudflare-tunnel-ingress-controller/main.go @@ -60,7 +60,7 @@ func main() { logger := options.logger logger.Info("logging verbosity", "level", options.logLevel) - logger.V(3).Info("build cloudflare client with API Token", "api-token", options.cloudflareAPIToken) + logger.V(3).Info("build cloudflare client with API Token", "api-token", "***") cloudflareClient, err := cloudflare.NewWithAPIToken(options.cloudflareAPIToken) if err != nil { logger.Error(err, "create cloudflare client") From a39680a8e6aefc233b50821be296dd11c3604183 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 27 Feb 2026 18:31:59 +0000 Subject: [PATCH 2/2] Redact Cloudflare API token in logs The Cloudflare API token was previously logged in cleartext when the log verbosity was set to 3 or higher. This commit masks the token in the log message with `` to prevent sensitive information disclosure. Fixes: security vulnerability where API token is logged Co-authored-by: STRRL <20221408+STRRL@users.noreply.github.com> --- cmd/cloudflare-tunnel-ingress-controller/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/cloudflare-tunnel-ingress-controller/main.go b/cmd/cloudflare-tunnel-ingress-controller/main.go index da3ba79..5626919 100644 --- a/cmd/cloudflare-tunnel-ingress-controller/main.go +++ b/cmd/cloudflare-tunnel-ingress-controller/main.go @@ -60,7 +60,7 @@ func main() { logger := options.logger logger.Info("logging verbosity", "level", options.logLevel) - logger.V(3).Info("build cloudflare client with API Token", "api-token", "***") + logger.V(3).Info("build cloudflare client with API Token", "api-token", "") cloudflareClient, err := cloudflare.NewWithAPIToken(options.cloudflareAPIToken) if err != nil { logger.Error(err, "create cloudflare client")