From 9ca334a56036417239ac68c4755607422bb71b1f Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Wed, 22 Sep 2021 22:25:40 -0700
Subject: [PATCH] cmd/tailscaled: appease a security scanner

There are two reasons this can't ever go to actual logs,
but rewrite it to make it happy.

Fixes tailscale/corp#2695

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 cmd/tailscaled/debug.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/cmd/tailscaled/debug.go b/cmd/tailscaled/debug.go
index 796df60ed..ccd30c1d4 100644
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -138,11 +138,18 @@ func getURL(ctx context.Context, urlStr string) error {
 		if err == nil && auth != "" {
 			tr.ProxyConnectHeader.Set("Proxy-Authorization", auth)
 		}
+		log.Printf("tshttpproxy.GetAuthHeader(%v) got: auth of %d bytes, err=%v", proxyURL, len(auth), err)
 		const truncLen = 20
 		if len(auth) > truncLen {
 			auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
 		}
-		log.Printf("tshttpproxy.GetAuthHeader(%v) for Proxy-Auth: = %q, %v", proxyURL, auth, err)
+		if auth != "" {
+			// We used log.Printf above (for timestamps).
+			// Use fmt.Printf here instead just to appease
+			// a security scanner, despite log.Printf only
+			// going to stdout.
+			fmt.Printf("... Proxy-Authorization = %q\n", auth)
+		}
 	}
 	res, err := tr.RoundTrip(req)
 	if err != nil {