From a25033bba5404da07a715de117a7219c2d006362 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 21 Jun 2024 14:20:56 +0200 Subject: [PATCH] apps/logs: fix some information not being redacted because of the packaging v2 flows --- src/app.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/app.py b/src/app.py index 3051fbbf2..12d67f0bd 100644 --- a/src/app.py +++ b/src/app.py @@ -2992,19 +2992,31 @@ def _make_environment_for_app_script( # If packaging format v2, load all settings if manifest["packaging_format"] >= 2 or force_include_app_settings: env_dict["app"] = app + data_to_redact = [] + prefixes_or_suffixes_to_redact = ["pwd", "pass", "passwd", "password", "passphrase", "secret", "key", "token"] + for setting_name, setting_value in _get_app_settings(app).items(): # Ignore special internal settings like checksum__ # (not a huge deal to load them but idk...) if setting_name.startswith("checksum__"): continue - env_dict[setting_name] = str(setting_value) + setting_value = str(setting_value) + env_dict[setting_name] = setting_value + + # Check if we should redact this setting value + # (the check on the setting length exists to prevent stupid stuff like redacting empty string or something which is actually just 0/1, true/false, ... + if len(setting_value) > 6 and any(setting_name.startswith(p) or setting_name.endswith(p) for p in prefixes_or_suffixes_to_redact): + data_to_redact.append(setting_value) # Special weird case for backward compatibility... # 'path' was loaded into 'path_url' ..... if "path" in env_dict: env_dict["path_url"] = env_dict["path"] + for operation_logger in OperationLogger._instances: + operation_logger.data_to_redact.extend(data_to_redact) + return env_dict