The analysis focused on two commits that patched the vulnerability. The first commit, 6f5537bdf15ddbaa0f27a1a678632ff0743e4107 in argoproj/argo-cd, primarily updated the dependency on argoproj/gitops-engine and added an E2E test (TestMaskValuesInInvalidSecret). This test confirmed that the vulnerability manifested in diff views and error messages (app.Status.OperationState.Message).

The second commit, 7e21b91e9d0f64104c8a661f3f390c5e6d73ddca in argoproj/gitops-engine, contained the core fixes:

1. Modifications to pkg/diff/diff.go specifically in the NormalizeSecret function. The previous logic for converting stringData to data in secrets was insufficient, potentially leading to exposure of raw stringData values in diffs if the secret was invalid. The patch revised this logic to handle stringData more robustly, including base64 encoding for strings and moving other types as-is, to prevent exposure during diff generation.
2. Modifications to pkg/utils/kube/kube.go in the cleanKubectlOutput function. This function sanitizes error messages from kubectl. The patch added a regular expression to remove map structures (e.g., map[...]) from these error messages, as these could contain sensitive data from invalid Secret manifests when a patch or apply operation failed. The commit message explicitly mentioned that "map[] in error output exposes secret data".

Therefore, NormalizeSecret was identified as vulnerable because its previous implementation could lead to secret exposure in diffs. cleanKubectlOutput was identified because its previous implementation was insufficient in scrubbing sensitive data from error messages originating from Kubernetes operations, thus allowing exposure.