From bfcbe83ab5fcabedba545a298c501e050df39464 Mon Sep 17 00:00:00 2001
From: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>
Date: Tue, 28 Jan 2025 10:57:06 -0500
Subject: [PATCH] sec: sanitize identity token from events (#24966)

* bug: sanitize identity token from events

* add changelog
---
 .changelog/24966.txt  | 3 +++
 nomad/state/events.go | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 .changelog/24966.txt

diff --git a/.changelog/24966.txt b/.changelog/24966.txt
new file mode 100644
index 000000000..7cc48fd80
--- /dev/null
+++ b/.changelog/24966.txt
@@ -0,0 +1,3 @@
+```release-note:security
+api: sanitize the SignedIdentities in allocations of events to clean the identity token.
+```
diff --git a/nomad/state/events.go b/nomad/state/events.go
index c2c30e10c..29abd6d9f 100644
--- a/nomad/state/events.go
+++ b/nomad/state/events.go
@@ -341,7 +341,7 @@ func eventFromChange(change memdb.Change) (structs.Event, bool) {
 			FilterKeys: filterKeys,
 			Namespace:  after.Namespace,
 			Payload: &structs.AllocationEvent{
-				Allocation: alloc,
+				Allocation: alloc.Sanitize(),
 			},
 		}, true
 	case "jobs":