Skip to content

STRATCONN-6355 - [S3] - SHA256 support#3802

Open
joe-ayoub-segment wants to merge 12 commits into
mainfrom
s3-shah256-support
Open

STRATCONN-6355 - [S3] - SHA256 support#3802
joe-ayoub-segment wants to merge 12 commits into
mainfrom
s3-shah256-support

Conversation

@joe-ayoub-segment

@joe-ayoub-segment joe-ayoub-segment commented May 20, 2026

Copy link
Copy Markdown
Contributor

Adds a columns_to_hash field to the S3 destination that allows customers to specify which columns should be hashed before being written to the output file
Supports configurable hash algorithms per column (currently SHA256, extensible to others)
Includes validation that rejects missing fields, unsupported algorithms, and column names that don't match the configured columns
Gated behind the actions-s3-hashing feature flag — when the flag is off, hashing configuration is ignored
Uses the shared processHashing utility for consistent hashing behavior (including pre-hash detection)

Testing

Staging test to be completed. TODO

  • Manual verification with feature flag enabled in staging
  • Manual verification that hashing is skipped when feature flag is disabled

Unit tests added:

  • Existing tests pass (17 original tests unaffected)
  • New tests verify columns are SHA256-hashed in output
  • New tests verify non-configured columns remain unchanged
  • New tests verify empty/null values are not hashed
  • New tests verify validation errors for missing column_name, missing hash_algorithm, unsupported algorithms, and non-existent columns

E2E tests added

Verified that hashed columns feature working as expected.

image image

Security Review

Please ensure sensitive data is properly protected in your integration.

  • Reviewed all field definitions for sensitive data (API keys, tokens, passwords, client secrets) and confirmed they use type: 'password'

New Destination Checklist

  • Extracted all action API versions to verioning-info.ts file. example

Copilot AI review requested due to automatic review settings May 20, 2026 12:58

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds configurable SHA256 hashing for selected output columns in the S3 → Sync to S3 action, so users can hash specific column values before the file is written and uploaded to S3.

Changes:

  • Introduces a new columns_to_hash action field (array of { column_name }) to configure which columns should be hashed.
  • Updates the S3 file generation path to hash configured columns using SHA256 before CSV escaping/quoting.
  • Extends the generated Payload type to include columns_to_hash.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
packages/destination-actions/src/destinations/s3/syncToS3/generated-types.ts Adds columns_to_hash to the action payload type.
packages/destination-actions/src/destinations/s3/syncToS3/functions.ts Computes configured columns-to-hash and hashes matching column values during file generation.
packages/destination-actions/src/destinations/s3/syncToS3/fields.ts Adds UI/config field definition for columns_to_hash.

Comment thread packages/destination-actions/src/destinations/s3/syncToS3/functions.ts Outdated
Comment thread packages/destination-actions/src/destinations/s3/syncToS3/functions.ts Outdated
Copilot AI review requested due to automatic review settings May 20, 2026 13:15

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (5)

packages/destination-actions/src/destinations/s3/syncToS3/functions.ts:36

  • columns_to_hash is read only from payloads[0], so in batch mode any per-event differences will be silently ignored. Consider validating that all payloads have the same columns_to_hash configuration (or moving this to a batch-level argument) and throw a PayloadValidationError if they differ to avoid inconsistent hashing within a batch.

This issue also appears in the following locations of the same file:

  • line 27
  • line 38
  • line 75
  const headerNames = new Set(headers.map((h) => h.originalName))
  const columnsToHash = validateColumnsToHash(payloads[0]?.columns_to_hash ?? [], headerNames)

  const fileContent = generateFile(payloads, headers, delimiter, actionColName, batchColName, columnsToHash)

  const s3Client = new Client(settings.s3_aws_region, settings.iam_role_arn, settings.iam_external_id)

  await s3Client.uploadS3(
    settings,
    fileContent,

packages/destination-actions/src/destinations/s3/syncToS3/functions.ts:77

  • hash_algorithm is passed directly into crypto.createHash(). If a caller provides an unsupported/typo’d algorithm (or different casing), this will throw a low-context runtime error. Please validate against the supported set (currently only sha256) and rethrow as a PayloadValidationError with an actionable message (and/or normalize casing).
    const isLastRow = index === payloads.length - 1
    const row = headers.map((header): string => {
      if (header.originalName === actionColName) {

packages/destination-actions/src/destinations/s3/syncToS3/functions.ts:36

  • Duplicate column_name entries in columns_to_hash are silently overwritten when building the Map, which can mask configuration mistakes. Consider detecting duplicates and throwing a PayloadValidationError listing the repeated column names.
  const headerNames = new Set(headers.map((h) => h.originalName))
  const columnsToHash = validateColumnsToHash(payloads[0]?.columns_to_hash ?? [], headerNames)

  const fileContent = generateFile(payloads, headers, delimiter, actionColName, batchColName, columnsToHash)

  const s3Client = new Client(settings.s3_aws_region, settings.iam_role_arn, settings.iam_external_id)

  await s3Client.uploadS3(
    settings,
    fileContent,

packages/destination-actions/src/destinations/s3/syncToS3/functions.ts:46

  • The new columns_to_hash behavior (hashing output, invalid column validation, invalid algorithm handling) is not covered by unit tests. Since this destination already has tests for generateFile, please add test cases that assert hashed values are emitted for configured columns and that invalid configurations fail with the expected PayloadValidationError messages.
    return ''

packages/destination-actions/src/destinations/s3/syncToS3/functions.ts:43

  • The validation error message says the columns “do not exist”, but the check is against the generated output headers; a column could exist in the event payload but not be included in the output file. Consider clarifying the message to something like “not included in the output columns” (and optionally include the list of valid output column names) to make it easier to debug misconfigurations.
    payloads[0]?.s3_aws_folder_name ?? '',
    payloads[0]?.file_extension,
    signal
  )
}

Comment thread packages/destination-actions/src/destinations/s3/syncToS3/functions.ts Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (3)

packages/destination-actions/src/destinations/s3/syncToS3/functions.ts:32

  • columns_to_hash is user-configurable (fields.ts) but is silently ignored unless the actions-s3-hashing feature flag is enabled. That can lead to hard-to-diagnose misconfigurations. Consider either (a) throwing a PayloadValidationError when columns_to_hash is non-empty but the feature flag is off, or (b) hiding/gating the field itself until the flag is enabled.
  const columnsToHash =
    features && features[S3_HASHING_FEATURE_FLAG]
      ? validateColumnsToHash(payloads[0]?.columns_to_hash ?? [], new Set(headers.map((h) => h.originalName)))
      : new Map<string, HashAlgorithm>()

packages/destination-actions/src/destinations/s3/syncToS3/functions.ts:121

  • validateColumnsToHash doesn’t normalize user-provided strings (e.g. whitespace). As written, values like " email " or "sha256 " will fail validation even though they’re semantically correct. Trimming (and possibly lowercasing the algorithm) before validation would improve robustness and error quality.
  for (const entry of entries) {
    const columnName = String(entry.column_name ?? '')
    const hashAlgorithm = String(entry.hash_algorithm ?? '')

packages/destination-actions/src/destinations/s3/syncToS3/tests/index.test.ts:171

  • These assertions split the CSV row on ,, but the generated row contains quoted JSON with embedded commas (e.g. the properties column). This parsing is not CSV-safe and could produce incorrect column indexing as soon as a hashed column appears after a comma-containing field. Consider asserting against the full expected output string (as the earlier test does) or using a CSV-aware parser for the row.
    const rows = result.toString().split('\n')
    const headerRow = rows[0].split(',')
    const dataRow = rows[1].split(',')

Comment thread packages/destination-actions/src/destinations/s3/syncToS3/types.ts Outdated
Comment thread packages/destination-actions/src/destinations/s3/syncToS3/functions.ts Outdated
Comment thread packages/destination-actions/src/destinations/s3/syncToS3/__tests__/index.test.ts Outdated
@joe-ayoub-segment joe-ayoub-segment marked this pull request as ready for review May 20, 2026 14:27
@joe-ayoub-segment joe-ayoub-segment requested a review from a team as a code owner May 20, 2026 14:27
Copilot AI review requested due to automatic review settings May 20, 2026 14:27

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

@joe-ayoub-segment joe-ayoub-segment added the needs-stage-test Must be tested in Stage before deployment label May 21, 2026
Block the send with a PayloadValidationError when columns_to_hash is
configured but the actions-s3-hashing feature flag is off, so unhashed
PII is never written to S3. Adds send-level tests covering flag on/off.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 2, 2026 11:12

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Whitespace-only values now correctly fail the required checks, and
leading/trailing spaces are stripped before matching against valid
column names. Addresses Copilot review comment on PR #3802.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
joe-ayoub-segment added a commit that referenced this pull request Jul 3, 2026
Whitespace-only values now correctly fail the required checks, and
leading/trailing spaces are stripped before matching against valid
column names. Addresses Copilot review comment on PR #3802.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants