fix: logger with more masking of sensitive data (All-Hands-AI#2470)

* fix: more logger sensitive masking * fix: test_config.py updated for more sensitive patterns * added one more...
rebots-online · Jun 16, 2024 · d2509a1 · d2509a1
1 parent 798921c
commit d2509a1
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 1 deletion.
diff --git a/opendevin/core/config.py b/opendevin/core/config.py
@@ -224,7 +224,12 @@ def __str__(self):
             attr_name = f.name
             attr_value = getattr(self, f.name)
 
-            if attr_name in ['e2b_api_key', 'github_token']:
+            if attr_name in [
+                'e2b_api_key',
+                'github_token',
+                'jwt_secret',
+                'ssh_password',
+            ]:
                 attr_value = '******' if attr_value else None
 
             attr_str.append(f'{attr_name}={repr(attr_value)}')

diff --git a/opendevin/core/logger.py b/opendevin/core/logger.py
@@ -81,14 +81,18 @@ def filter(self, record):
             'aws_secret_access_key',
             'e2b_api_key',
             'github_token',
+            'jwt_secret',
+            'ssh_password',
         ]
 
         # add env var names
         env_vars = [attr.upper() for attr in sensitive_patterns]
         sensitive_patterns.extend(env_vars)
 
         # and some special cases
+        sensitive_patterns.append('JWT_SECRET')
         sensitive_patterns.append('LLM_API_KEY')
+        sensitive_patterns.append('GITHUB_TOKEN')
         sensitive_patterns.append('SANDBOX_ENV_GITHUB_TOKEN')
 
         # this also formats the message with % args

diff --git a/tests/unit/test_config.py b/tests/unit/test_config.py
@@ -315,9 +315,15 @@ def test_api_keys_repr_str():
         llm=llm_config,
         agent=agent_config,
         e2b_api_key='my_e2b_api_key',
+        jwt_secret='my_jwt_secret',
+        ssh_password='my_ssh_password',
     )
     assert "e2b_api_key='******'" in repr(app_config)
     assert "e2b_api_key='******'" in str(app_config)
+    assert "jwt_secret='******'" in repr(app_config)
+    assert "jwt_secret='******'" in str(app_config)
+    assert "ssh_password='******'" in repr(app_config)
+    assert "ssh_password='******'" in str(app_config)
 
     # Check that no other attrs in AppConfig have 'key' or 'token' in their name
     # This will fail when new attrs are added, and attract attention

diff --git a/tests/unit/test_logging.py b/tests/unit/test_logging.py
@@ -102,6 +102,7 @@ def test_sensitive_env_vars_masking(test_handler):
         'AWS_SECRET_ACCESS_KEY': 'AWS_SECRET_ACCESS_KEY_VALUE',
         'E2B_API_KEY': 'E2B_API_KEY_VALUE',
         'GITHUB_TOKEN': 'GITHUB_TOKEN_VALUE',
+        'JWT_SECRET': 'JWT_SECRET_VALUE',
     }
 
     log_message = ' '.join(