infisical icon indicating copy to clipboard operation
infisical copied to clipboard
verified publisher icon Infisical

Secret overriding does not work when used with tags

Open mlgarchery opened this issue 9 months ago • 2 comments

Describe the bug

Secret overriding is not taken into account when used with tags.

To Reproduce

Steps to reproduce the behavior:

  1. Override a secret that has a tag "mytag"
  2. Run infisical secrets to see that the secret is a personal one (overrided)
  3. Run infisical run --tags=mytag -- node
  4. type process.env.YOUR_SECRET
  5. See the bug that the variable value is not the overrided one

Expected behavior

The variable value should be the overrided one, as secrets overriding is the default behaviour

Platform you are having the issue on:

Self-hosted https://hub.docker.com/layers/infisical/infisical/latest-postgres/images/sha256-641f4792ce89595c5aefd77f2df20a5dbb7e8519402634e8f4163c08c5d5f1ee CLI Infisical version 0.39.0

Additional context

mlgarchery avatar Apr 09 '25 12:04 mlgarchery

I looked into this issue and here's why it happens:

When a secret override is created, it's made as a new entry in the secrets_v2 table. When this new entry is created, tag junctions from the original secret are not copied over. At the database level, this new override is now treated as a secret without tags.

The function which fetches secrets filters out any entries that don't have a secret_v2_tag_junction relation. Here's the exact line which applies this filter: https://github.com/Infisical/infisical/blob/cdc364d44c90cdd5b245df916779413a6ef01656/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts#L650

To solve this issue, the developers would either need to copy over tag junctions for overrides at the database level OR update the findByFolderIds function to account for override secret entries that are related to secrets with tags.

The second option is the easiest, all you'd need to do is remove this filter and add a new filter which only keeps secrets that have the target tags OR have the same key & env as a different secret that has the tags.

Here's a commit I made on my fork which applies the second fix: https://github.com/x032205/infisical/commit/e191fccd653781db1e958a9180025ccd79739a05

I'm not going to open a pull request for this since it's such a low-level change. The devs may choose to handle this issue differently, so I'd like to wait for them to take action on this instead of opening a pull request.

x032205 avatar Apr 13 '25 03:04 x032205

Hey @x032205 , great reply. The team is internally thinking through tags vs metadata on secrets. Once we reach the end of the conversion, we'll put more details here

maidul98 avatar Apr 13 '25 21:04 maidul98