fix: redact nested Pulsar resource configs

Author: freeznet

pkg/mcp/pulsar_resources.go

@@ -81,6 +81,7 @@ const (
 	pulsarWorkerMetricsResourceURI       = "pulsar://admin/v2/worker-stats/metrics"
 	pulsarResourceJSONMIMEType           = "application/json"
 	pulsarResourceSummaryStringLimit     = 50
+	pulsarResourceSanitizeDepthLimit     = 6
 	pulsarResourceRedactedValue          = "<redacted>"
 )
 
@@ -3302,9 +3303,16 @@ func sanitizePulsarResourceStringMap(values map[string]string, limit int) map[st
 }
 
 func sanitizePulsarResourceAnyMap(values map[string]any, limit int) map[string]any {
+	return sanitizePulsarResourceAnyMapWithDepth(values, limit, pulsarResourceSanitizeDepthLimit)
+}
+
+func sanitizePulsarResourceAnyMapWithDepth(values map[string]any, limit int, depth int) map[string]any {
 	if len(values) == 0 || limit <= 0 {
 		return nil
 	}
+	if depth <= 0 {
+		return nil
+	}
 
 	keys := make([]string, 0, len(values))
 	for key := range values {
@@ -3321,22 +3329,27 @@ func sanitizePulsarResourceAnyMap(values map[string]any, limit int) map[string]a
 			sanitized[key] = pulsarResourceRedactedValue
 			continue
 		}
-		sanitized[key] = sanitizePulsarResourceAnyValue(values[key], 2)
+		sanitized[key] = sanitizePulsarResourceAnyValue(values[key], depth-1)
 	}
 	return sanitized
 }
 
 func sanitizePulsarResourceAnyValue(value any, depth int) any {
-	if depth <= 0 {
-		return value
-	}
-
 	switch typed := value.(type) {
 	case map[string]any:
-		return sanitizePulsarResourceAnyMap(typed, pulsarResourceSummaryStringLimit)
+		if depth <= 0 {
+			return pulsarResourceRedactedValue
+		}
+		return sanitizePulsarResourceAnyMapWithDepth(typed, pulsarResourceSummaryStringLimit, depth)
 	case map[string]string:
+		if depth <= 0 {
+			return pulsarResourceRedactedValue
+		}
 		return sanitizePulsarResourceStringMap(typed, pulsarResourceSummaryStringLimit)
 	case []any:
+		if depth <= 0 {
+			return pulsarResourceRedactedValue
+		}
 		values := typed
 		if len(values) > pulsarResourceSummaryStringLimit {
 			values = values[:pulsarResourceSummaryStringLimit]
@@ -3347,6 +3360,9 @@ func sanitizePulsarResourceAnyValue(value any, depth int) any {
 		}
 		return sanitized
 	case []string:
+		if depth <= 0 {
+			return pulsarResourceRedactedValue
+		}
 		values, _ := limitStringSlice(typed, pulsarResourceSummaryStringLimit)
 		return values
 	default:

pkg/mcp/pulsar_resources_test.go

@@ -284,6 +284,89 @@ func TestPulsarAddResourcesFeatureGate(t *testing.T) {
 	})
 }
 
+func TestSanitizePulsarResourceAnyMapRedactsNestedValues(t *testing.T) {
+	t.Parallel()
+
+	longSlice := make([]any, pulsarResourceSummaryStringLimit+1)
+	for i := range longSlice {
+		longSlice[i] = map[string]any{"index": i}
+	}
+	tooDeep := map[string]any{"password": "secret-over-budget"}
+	for i := 0; i <= pulsarResourceSanitizeDepthLimit; i++ {
+		tooDeep = map[string]any{fmt.Sprintf("level-%02d", i): tooDeep}
+	}
+
+	values := map[string]any{
+		"owner": "team-a",
+		"nested": map[string]any{
+			"database": map[string]any{
+				"connection": map[string]any{
+					"password": "secret-nested-password",
+					"safe":     "visible",
+				},
+				"token": "secret-nested-token",
+			},
+		},
+		"items": []any{
+			map[string]any{
+				"password": "secret-array-password",
+				"safe":     "array-visible",
+			},
+			map[string]any{
+				"metadata": map[string]any{
+					"privateKey": "secret-array-private-key",
+				},
+			},
+		},
+		"stringMap": map[string]string{
+			"clientKey": "secret-client-key",
+			"owner":     "team-a",
+		},
+		"longSlice": longSlice,
+		"tooDeep":   tooDeep,
+	}
+
+	sanitized := sanitizePulsarResourceAnyMap(values, pulsarResourceSummaryStringLimit)
+	payload, err := json.Marshal(sanitized)
+	require.NoError(t, err)
+	assert.NotContains(t, string(payload), "secret-nested-password")
+	assert.NotContains(t, string(payload), "secret-nested-token")
+	assert.NotContains(t, string(payload), "secret-array-password")
+	assert.NotContains(t, string(payload), "secret-array-private-key")
+	assert.NotContains(t, string(payload), "secret-client-key")
+	assert.NotContains(t, string(payload), "secret-over-budget")
+
+	nested := sanitized["nested"].(map[string]any)
+	database := nested["database"].(map[string]any)
+	connection := database["connection"].(map[string]any)
+	assert.Equal(t, pulsarResourceRedactedValue, connection["password"])
+	assert.Equal(t, "visible", connection["safe"])
+	assert.Equal(t, pulsarResourceRedactedValue, database["token"])
+
+	items := sanitized["items"].([]any)
+	firstItem := items[0].(map[string]any)
+	assert.Equal(t, pulsarResourceRedactedValue, firstItem["password"])
+	assert.Equal(t, "array-visible", firstItem["safe"])
+	secondItem := items[1].(map[string]any)
+	metadata := secondItem["metadata"].(map[string]any)
+	assert.Equal(t, pulsarResourceRedactedValue, metadata["privateKey"])
+
+	stringMap := sanitized["stringMap"].(map[string]string)
+	assert.Equal(t, pulsarResourceRedactedValue, stringMap["clientKey"])
+	assert.Equal(t, "team-a", stringMap["owner"])
+
+	limitedSlice := sanitized["longSlice"].([]any)
+	assert.Len(t, limitedSlice, pulsarResourceSummaryStringLimit)
+
+	limitedMap := make(map[string]any, pulsarResourceSummaryStringLimit+1)
+	for i := 0; i <= pulsarResourceSummaryStringLimit; i++ {
+		limitedMap[fmt.Sprintf("key-%02d", i)] = i
+	}
+	sanitizedLimitedMap := sanitizePulsarResourceAnyMap(limitedMap, pulsarResourceSummaryStringLimit)
+	assert.Len(t, sanitizedLimitedMap, pulsarResourceSummaryStringLimit)
+	assert.NotContains(t, sanitizedLimitedMap, fmt.Sprintf("key-%02d", pulsarResourceSummaryStringLimit))
+}
+
 func TestPulsarContextResourceReadRedactsSecrets(t *testing.T) {
 	t.Parallel()