Prevent accidental stripping of debug_redact options via import option.

mkruskal-google · copybara-github · commit e7ee9fabd1fa · 2025-10-02T21:51:29.000-07:00
Because we use reflection to check this metadata on custom options during debug string redaction, there's nothing enforcing that these options will be linked into the binary.  In order to avoid stripping this and leaking PII, we just ban optional dependencies on protos used to annotate sensitive data.

PiperOrigin-RevId: 814426143
diff --git a/src/google/protobuf/compiler/command_line_interface.cc b/src/google/protobuf/compiler/command_line_interface.cc
@@ -24,6 +24,7 @@
 #include <fstream>
 #include <iostream>
 #include <memory>
+#include <optional>
 #include <ostream>
 #include <string>
 #include <utility>
@@ -1039,6 +1040,90 @@ bool HasReservedFieldNumber(const FieldDescriptor* field) {
   return false;
 }
 
+bool HasDebugRedact(const EnumDescriptor& enm) {
+  for (int i = 0; i < enm.value_count(); ++i) {
+    const EnumValueDescriptor* value = enm.value(i);
+    if (value->options().debug_redact()) {
+      return true;
+    }
+  }
+  return false;
+}
+
+bool HasDebugRedact(const Descriptor& desc,
+                    absl::flat_hash_map<const Descriptor*, bool>& visited);
+
+bool HasDebugRedact(const FieldDescriptor& field,
+                    absl::flat_hash_map<const Descriptor*, bool>& visited) {
+  if (field.enum_type() != nullptr && HasDebugRedact(*field.enum_type())) {
+    return true;
+  }
+  if (field.message_type() != nullptr &&
+      HasDebugRedact(*field.message_type(), visited)) {
+    return true;
+  }
+  return false;
+}
+
+bool HasDebugRedact(const Descriptor& desc,
+                    absl::flat_hash_map<const Descriptor*, bool>& visited) {
+  auto result = visited.emplace(&desc, false);
+  if (!result.second) {
+    return result.first->second;
+  }
+  for (int i = 0; i < desc.field_count(); ++i) {
+    if (HasDebugRedact(*desc.field(i), visited)) {
+      visited[&desc] = true;
+      return true;
+    }
+  }
+  return false;
+}
+
+// Look for any enums with values marked debug_redact within this message
+// schema.  These can be used to mark fields that need to be redacted in debug
+// string APIs, but are only discoverable via reflection that doesn't force
+// linkage.
+std::optional<std::string> FindDebugRedactMarker(const FileDescriptor& desc) {
+  std::optional<std::string> debug_redact_value;
+  absl::flat_hash_map<const Descriptor*, bool> visited;
+  google::protobuf::internal::VisitDescriptors(
+      desc, [&debug_redact_value, &visited](const FieldDescriptor& field) {
+        if (field.is_extension() && HasDebugRedact(field, visited)) {
+          debug_redact_value = field.full_name();
+        }
+      });
+  return debug_redact_value;
+}
+
+bool ValidateOptionImports(const FileDescriptor& file,
+                           const DescriptorPool& pool,
+                           DescriptorPool::ErrorCollector* printer) {
+  for (int i = 0; i < file.option_dependency_count(); ++i) {
+    const FileDescriptor* dep =
+        pool.FindFileByName(file.option_dependency_name(i));
+    if (dep == nullptr) {
+      // If we don't have the dependency we can't validate it, assume it's ok.
+      continue;
+    }
+    std::optional<std::string> debug_redact_value = FindDebugRedactMarker(*dep);
+    if (debug_redact_value.has_value()) {
+      printer->RecordError(
+          file.name(), "", nullptr, DescriptorPool::ErrorCollector::OPTION_NAME,
+          absl::StrCat(
+              "Optional dependency ", dep->name(), " contains a custom option ",
+              *debug_redact_value,
+              " marked debug_redact, which is used to mark fields that need to "
+              "be redacted in debug string APIs. Switch to a regular import or "
+              "remove the debug_redact annotation to avoid potentially leaking "
+              "sensitive data."));
+      return false;
+    }
+  }
+
+  return true;
+}
+
 }  // namespace
 
 namespace {
@@ -1294,6 +1379,11 @@ int CommandLineInterface::Run(int argc, const char* const argv[]) {
   bool validation_error = false;  // Defer exiting so we log more warnings.
 
   for (auto& file : parsed_files) {
+    if (!ValidateOptionImports(*file, *descriptor_pool,
+                               error_collector.get())) {
+      validation_error = true;
+    }
+
     google::protobuf::internal::VisitDescriptors(
         *file, [&](const FieldDescriptor& field) {
           if (HasReservedFieldNumber(&field)) {
diff --git a/src/google/protobuf/compiler/command_line_interface_unittest.cc b/src/google/protobuf/compiler/command_line_interface_unittest.cc
@@ -3151,6 +3151,105 @@ TEST_F(CommandLineInterfaceTest, WriteTransitiveOptionImportDescriptorSet) {
   EXPECT_EQ("bar.proto", descriptor_set.file(3).name());
 }
 
+TEST_F(CommandLineInterfaceTest, OptionImportWithDebugRedactFieldIsNotError) {
+  CreateTempFile("google/protobuf/descriptor.proto",
+                 google::protobuf::DescriptorProto::descriptor()->file()->DebugString());
+  CreateTempFile("custom_option.proto",
+                 R"schema(
+                    syntax = "proto2";
+                    import "google/protobuf/descriptor.proto";
+                    extend .google.protobuf.FileOptions {
+                      optional int32 file_opt = 5000 [debug_redact = true];
+                    }
+                )schema");
+  CreateTempFile("bar.proto",
+                 R"schema(
+                    edition = "2024";
+                    import option "custom_option.proto";
+                    option (file_opt) = 1;
+                    message Bar {
+                      int32 foo = 1;
+                    }
+                 )schema");
+
+  Run("protocol_compiler --descriptor_set_out=$tmpdir/descriptor_set "
+      "--include_imports --proto_path=$tmpdir bar.proto "
+      "--experimental_editions");
+
+  ExpectNoErrors();
+}
+
+TEST_F(CommandLineInterfaceTest, OptionImportWithDebugRedactIsError) {
+  CreateTempFile("google/protobuf/descriptor.proto",
+                 google::protobuf::DescriptorProto::descriptor()->file()->DebugString());
+  CreateTempFile("custom_option.proto",
+                 R"schema(
+                    syntax = "proto2";
+                    import "google/protobuf/descriptor.proto";
+                    enum MyEnum {
+                      MY_ENUM_VALUE = 0 [debug_redact = true];
+                    }
+                    extend .google.protobuf.FieldOptions {
+                      optional MyEnum file_opt = 5000 [debug_redact = true];
+                    }
+                )schema");
+  CreateTempFile("bar.proto",
+                 R"schema(
+                    edition = "2024";
+                    import option "custom_option.proto";
+                    message Bar {
+                      int32 foo = 1 [(file_opt) = MY_ENUM_VALUE];
+                    }
+                 )schema");
+
+  Run("protocol_compiler --descriptor_set_out=$tmpdir/descriptor_set "
+      "--include_imports --proto_path=$tmpdir bar.proto "
+      "--experimental_editions");
+
+  ExpectErrorSubstring(
+      "bar.proto: Optional dependency custom_option.proto contains a custom "
+      "option file_opt marked debug_redact");
+}
+
+TEST_F(CommandLineInterfaceTest, OptionImportWithDebugRedactDeeplyNested) {
+  CreateTempFile("google/protobuf/descriptor.proto",
+                 google::protobuf::DescriptorProto::descriptor()->file()->DebugString());
+  CreateTempFile("custom_option.proto",
+                 R"schema(
+                    syntax = "proto2";
+                    import "google/protobuf/descriptor.proto";
+                    enum MyEnum {
+                      MY_ENUM_VALUE = 0 [debug_redact = true];
+                    }
+                    message Container {
+                      optional MyEnum enm = 1;
+                    }
+                    message MyMessage {
+                      optional MyMessage msg = 1;
+                      optional Container ctr = 2;
+                    }
+                    extend .google.protobuf.FieldOptions {
+                      optional MyMessage file_opt = 5000 [debug_redact = true];
+                    }
+                )schema");
+  CreateTempFile("bar.proto",
+                 R"schema(
+                    edition = "2024";
+                    import option "custom_option.proto";
+                    message Bar {
+                      int32 foo = 1 [(file_opt).msg = {}];
+                    }
+                 )schema");
+
+  Run("protocol_compiler --descriptor_set_out=$tmpdir/descriptor_set "
+      "--include_imports --proto_path=$tmpdir bar.proto "
+      "--experimental_editions");
+
+  ExpectErrorSubstring(
+      "bar.proto: Optional dependency custom_option.proto contains a custom "
+      "option file_opt marked debug_redact");
+}
+
 TEST_F(CommandLineInterfaceTest, DisallowMissingOptionImportsDescriptorSetIn) {
   FileDescriptorSet file_descriptor_set;
 
