1Password secrets injector tries to conceal every random string in logs

Environment Details

Secret Injector Version:  1.0.2

1Password CLI Version: 2.23.0

Kubernetes Version: 1.32.2

Problem?

So I am using the 1password secrets injector to inject secrets on runtime when the pod gets created. Now in the service container logs, I see a lot of <concealed by 1password> on random strings which are not actually secrets. For example.

• "receivedAt":"20<concealed by 1Password>-03-24T07:53:33.644Z"
• sentAt":"20<concealed by 1Password>-03-24T07:53:33.140Z"
• "timestamp":"20<concealed by 1Password>-03-24T07:53:26.830Z"

These strings are just dates and they don't need to be concealed by 1password but they are getting concealed. I am not sure what kind of pattern matching the injector is doing to conceal the strings but it is doing it all wrong.
So after some time of these log statements, I see the following error and the pod restarts or go into error state.

20<concealed by 1Password>fatal error: concurrent map read and map write goroutine 2875 [running]: go.1password.io/op/op-cli/command/subprocess/masking.matches.add(...) /op/op-cli/command/subprocess/masking/matcher.go:14 go.1password.io/op/op-cli/command/subprocess/masking.(*stream).addMatch(0xc000196930, 0x138e65, 0x2) /op/op-cli/command/subprocess/masking/stream.go:50 +0xb5 go.1password.io/op/op-cli/command/subprocess/masking.(*stream).Write(0xc000196930, {0xc000534000, 0x244, 0x8000}) /op/op-cli/command/subprocess/masking/stream.go:32 +0x108 io.copyBuffer({0x12a3d60, 0xc000196930}, {0x12a2560, 0xc0000a09a0}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:431 +0x1de io.Copy(...) /usr/local/go/src/io/io.go:388 os.genericWriteTo(0xc00006aa60?, {0x12a3d60, 0xc000196930}) /usr/local/go/src/os/file.go:269 +0x58 os.(*File).WriteTo(0xc00006aa60, {0x12a3d60, 0xc000196930}) /usr/local/go/src/os/file.go:247 +0x9c io.copyBuffer({0x12a3d60, 0xc000196930}, {0x12a25c0, 0xc00006aa60}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:411 +0x9d io.Copy(...) /usr/local/go/src/io/io.go:388 os/exec.(*Cmd).writerDescriptor.func1() /usr/local/go/src/os/exec/exec.go:580 +0x34 os/exec.(*Cmd).Start.func2(0xc000416f98?) /usr/local/go/src/os/exec/exec.go:733 +0x2c created by os/exec.(*Cmd).Start in goroutine 1 /usr/local/go/src/os/exec/exec.go:732 +0x9ab goroutine 1 [syscall, 605 minutes]: syscall.Syscall6(0xf7, 0x1, 0x29, 0xc000477768, 0x1000004, 0x0, 0x0) /usr/local/go/src/syscall/syscall_linux.go:91 +0x39 os.(*Process).blockUntilWaitable(0xc0004e64b0) /usr/local/go/src/os/wait_waitid.go:32 +0x76 os.(*Process).wait(0xc0004e64b0) /usr/local/go/src/os/exec_unix.go:22 +0x25 os.(*Process).Wait(...) /usr/local/go/src/os/exec.go:134 os/exec.(*Cmd).Wait(0xc0001d2300) /usr/local/go/src/os/exec/exec.go:906 +0x45 go.1password.io/op/op-cli/command/subprocess.Run({0x12b5db8, 0x1ae34a0}, {0x7ffdbd552edf?, 0x0?}, {0xc0002db9d0?, 0xc0001b79a8?, 0x0?}, {0xc0000ad808, 0x72, 0x72}, ...) /op/op-cli/command/subprocess/subprocess.go:70 +0x666 go.1password.io/op/op-cli/command.(*runCommand).Run(0xc00025ab00) /op/op-cli/command/run.go:154 +0x39f go.1password.io/op/op-cli/command.Bind.func3(0xc00030b808?, {0xc0002db980?, 0x3?, 0x4?}) /op/op-cli/command/command.go:71 +0x47 github.com/spf13/cobra.(*Command).execute(0xc00030b808, {0xc0002db940, 0x4, 0x4}) /op/vendor/github.com/spf13/cobra/command.go:983 +0xaca github.com/spf13/cobra.(*Command).ExecuteC(0x1a72ec0) /op/vendor/github.com/spf13/cobra/command.go:1115 +0x3ff go.1password.io/op/op-cli/command.Execute() /op/op-cli/command/root.go:340 +0x65 main.main() /op/op-cli/main.go:15 +0x30 goroutine 32 [IO wait, 605 minutes]: internal/poll.runtime_pollWait(0x7a9329e81568, 0x72) /usr/local/go/src/runtime/netpoll.go:345 +0x85 internal/poll.(*pollDesc).wait(0xc0003c2700?, 0xc000398000?, 0x0) /usr/local/go/src/internal/poll/fd_poll_runtime.go:84 +0x27 internal/poll.(*pollDesc).waitRead(...) /usr/local/go/src/internal/poll/fd_poll_runtime.go:89 internal/poll.(*FD).Read(0xc0003c2700, {0xc000398000, 0x1000, 0x1000}) /usr/local/go/src/internal/poll/fd_unix.go:164 +0x27a net.(*netFD).Read(0xc0003c2700, {0xc000398000?, 0xf00040?, 0xc0000bdc88?}) /usr/local/go/src/net/fd_posix.go:55 +0x25 net.(*conn).Read(0xc00006a350, {0xc000398000?, 0xc0001fbad0?, 0xc0000bdc88?}) /usr/local/go/src/net/net.go:185 +0x45 bufio.(*Reader).Read(0xc0003be3c0, {0xc0003234d0, 0x1, 0xc0000bdd68?}) /usr/local/go/src/bufio/bufio.go:241 +0x197 io.ReadAtLeast({0x12a3380, 0xc0003be3c0}, {0xc0003234d0, 0x1, 0x9}, 0x1) /usr/local/go/src/io/io.go:335 +0x90 io.ReadFull(...) /usr/local/go/src/io/io.go:354 encoding/gob.decodeUintReader({0x12a3380, 0xc0003be3c0}, {0xc0003234d0, 0x9, 0x9}) /usr/local/go/src/encoding/gob/decode.go:116 +0x51 encoding/gob.(*Decoder).recvMessage(0xc000382bd0) /usr/local/go/src/encoding/gob/decoder.go:84 +0x33 encoding/gob.(*Decoder).decodeTypeSequence(0xc000382bd0, 0x0) /usr/local/go/src/encoding/gob/decoder.go:150 +0x47 encoding/gob.(*Decoder).DecodeValue(0xc000382bd0, {0xedbf20?, 0xc0004e3440?, 0xc000037008?}) /usr/local/go/src/encoding/gob/decoder.go:229 +0x16e encoding/gob.(*Decoder).Decode(0xc000382bd0, {0xedbf20?, 0xc0004e3440?}) /usr/local/go/src/encoding/gob/decoder.go:206 +0x12f net/rpc.(*gobClientCodec).ReadResponseHeader(0xf68920?, 0xecf6a0?) /usr/local/go/src/net/rpc/client.go:228 +0x25 net/rpc.(*Client).input(0xc0003be480) /usr/local/go/src/net/rpc/client.go:109 +0x9f created by net/rpc.NewClientWithCodec in goroutine 1 /usr/local/go/src/net/rpc/client.go:206 +0xb6 goroutine 2873 [runnable]: sync.(*Mutex).lockSlow(0xc000196990) /usr/local/go/src/sync/mutex.go:117 +0x27f sync.(*Mutex).Lock(...) /usr/local/go/src/sync/mutex.go:90 go.1password.io/op/op-cli/command/subprocess/masking.(*stream).flush(0xc000196930, 0xc00059ef48?) /op/op-cli/command/subprocess/masking/stream.go:61 +0x6d go.1password.io/op/op-cli/command/subprocess/masking.(*Masker).Start(0xc0004dc040) /op/op-cli/command/subprocess/masking/masker.go:100 +0xc9 created by go.1password.io/op/op-cli/command/subprocess.addMasker in goroutine 1 /op/op-cli/command/subprocess/subprocess.go:145 +0x56c goroutine 2874 [IO wait, 605 minutes]: internal/poll.runtime_pollWait(0x7a9329e81470, 0x72) /usr/local/go/src/runtime/netpoll.go:345 +0x85 internal/poll.(*pollDesc).wait(0xc0000ca6c0?, 0xc00052c000?, 0x1) /usr/local/go/src/internal/poll/fd_poll_runtime.go:84 +0x27 internal/poll.(*pollDesc).waitRead(...) /usr/local/go/src/internal/poll/fd_poll_runtime.go:89 internal/poll.(*FD).Read(0xc0000ca6c0, {0xc00052c000, 0x8000, 0x8000}) /usr/local/go/src/internal/poll/fd_unix.go:164 +0x27a os.(*File).read(...) /usr/local/go/src/os/file_posix.go:29 os.(*File).Read(0xc00006aa48, {0xc00052c000?, 0xeffcc0?, 0xf7d901?}) /usr/local/go/src/os/file.go:118 +0x52 io.copyBuffer({0x12a3d60, 0xc0001968c0}, {0x12a2560, 0xc0000a0990}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:429 +0x191 io.Copy(...) /usr/local/go/src/io/io.go:388 os.genericWriteTo(0xc00006aa48?, {0x12a3d60, 0xc0001968c0}) /usr/local/go/src/os/file.go:269 +0x58 os.(*File).WriteTo(0xc00006aa48, {0x12a3d60, 0xc0001968c0}) /usr/local/go/src/os/file.go:247 +0x9c io.copyBuffer({0x12a3d60, 0xc0001968c0}, {0x12a25c0, 0xc00006aa48}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:411 +0x9d io.Copy(...) /usr/local/go/src/io/io.go:388 os/exec.(*Cmd).writerDescriptor.func1() /usr/local/go/src/os/exec/exec.go:580 +0x34 os/exec.(*Cmd).Start.func2(0xc0005aef98?) /usr/local/go/src/os/exec/exec.go:733 +0x2c created by os/exec.(*Cmd).Start in goroutine 1 /usr/local/go/src/os/exec/exec.go:732 +0x9ab goroutine 2876 [runnable]: os/signal.signal_recv() /usr/local/go/src/runtime/sigqueue.go:152 +0x29 os/signal.loop() /usr/local/go/src/os/signal/signal_unix.go:23 +0x13 created by os/signal.Notify.func1.1 in goroutine 1 /usr/local/go/src/os/signal/signal.go:151 +0x1f

Now I am stuck on this and not sure what to do. Any help would be great appreciated.