Improves logging of environment variables

ssbarnea · ssbarnea · commit 511fcac8223f · 2025-06-04T12:55:55.000+01:00
Fixes: #3542
diff --git a/docs/changelog/3542.bugfix.rst b/docs/changelog/3542.bugfix.rst
@@ -0,0 +1,2 @@
+Improves logging of environment variables by sorting them by key and redacting
+the values for the ones that are likely to contain secrets.
diff --git a/src/tox/tox_env/api.py b/src/tox/tox_env/api.py
@@ -31,23 +31,23 @@
     from tox.tox_env.installer import Installer
 
 LOGGER = logging.getLogger(__name__)
-SECRET_ENV_VAR_REGEX = re.compile(
-    r"""(?ix)                              # case-insensitive, verbose mode
-    ^\s*                                   # optional leading whitespace
-    (?P<key>                               # capture group: key
-        (?:\w*(_)?)
-        (?:
-            (SECRET|TOKEN|KEY|PASSWORD|PWD|CRED|PRIVATE|AUTH|API)
-        )
-        (?:\w*)                             # allow variable prefixes/suffixes
-    )\s*=\s*                                # equal sign with optional spaces
-    (?P<value>                              # capture group: value
-        (['"])?                             # optional opening quote
-        ([A-Za-z0-9\-_]{12,})               # suspicious value (long, alphanumeric)
-        \1?                                 # optional closing quote matching opening
-    )
-    """
-)
+# Based on original gitleaks rule named generic-api-key
+# See: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml#L587
+secret_keywords = [
+    "access",
+    "api",
+    "auth",
+    "client",
+    "cred",
+    "key",
+    "passwd",
+    "password",
+    "private",
+    "pwd",
+    "secret",
+    "token",
+]
+SECRET_ENV_VAR_REGEX = re.compile(".*(" + "|".join(secret_keywords) + ").*", re.IGNORECASE)
 
 
 def redact_value(name: str, value: str) -> str:
@@ -485,8 +485,20 @@ def _write_execute_log(env_name: str, log_file: Path, request: ExecuteRequest, s
         with log_file.open("wt", encoding="utf-8") as file:
             file.write(f"name: {env_name}\n")
             file.write(f"run_id: {request.run_id}\n")
+            redacted = False
+            msg = ""
             for env_key, env_value in sorted(request.env.items()):
-                file.write(f"env {env_key}: {redact_value(name=env_key, value=env_value)}\n")
+                redacted_value = redact_value(name=env_key, value=env_value)
+                if redacted_value != env_value:
+                    redacted = True
+                msg += f"env {env_key}: {redacted_value}\n"
+            if redacted:
+                msg = (
+                    "notice: Same values of the environment variables with names containing "
+                    + ", ".join(secret_keywords)
+                    + " were redacted with '*' to prevent potential leak of secrets.\n"
+                    + msg
+                )
             for meta_key, meta_value in status.metadata.items():
                 file.write(f"metadata {meta_key}: {meta_value}\n")
             file.write(f"cwd: {request.cwd}\n")
diff --git a/tests/tox_env/test_api.py b/tests/tox_env/test_api.py
@@ -39,9 +39,28 @@ def test_setenv_section_substitution(tox_project: ToxProjectCreator) -> None:
 
 
 @pytest.mark.parametrize(
-    ("key", "value", "expected"), [pytest.param("FOO", "bar", "bar"), pytest.param("GITHUB_TOKEN", "foo", "***")]
+    ("key", "do_redact"),
+    [
+        pytest.param("SOME_KEY", True, id="key"),
+        pytest.param("API_FOO", True, id="api"),
+        pytest.param("AUTH", True, id="auth"),
+        pytest.param("CLIENT", True, id="client"),
+        pytest.param("DB_PASSWORD", True, id="password"),
+        pytest.param("FOO", False, id="foo"),
+        pytest.param("GITHUB_TOKEN", True, id="token"),
+        pytest.param("NORMAL_VAR", False, id="other"),
+        pytest.param("S_PASSWD", True, id="passwd"),
+        pytest.param("SECRET", True, id="secret"),
+        pytest.param("SOME_ACCESS", True, id="access"),
+        pytest.param("MY_CRED", True, id="cred"),
+        pytest.param("MY_PRIVATE", True, id="private"),
+        pytest.param("MY_PWD", True, id="pwd"),
+    ],
 )
-def test_redact(key: str, value: str, expected: str) -> None:
+def test_redact(key: str, do_redact: bool) -> None:
     """Ensures that redact_value works as expected."""
-    result = redact_value(key, value)
-    assert result == expected
+    result = redact_value(key, "foo")
+    if do_redact:
+        assert result == "***"
+    else:
+        assert result == "foo"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Improves logging of environment variables by sorting them by key and redacting`
	`2`	`+the values for the ones that are likely to contain secrets.`