From 3d4f02b3d8bbebba5221a7307ee8f3d0a47cfdd5 Mon Sep 17 00:00:00 2001
From: Preston Mueller <skierjunk@gmail.com>
Date: Sat, 24 Jun 2023 14:51:26 -0400
Subject: [PATCH] [v3] hide secrets in healthcheck output (#697)

---
 server/app.py                | 5 ++++-
 server/chalicelib/secrets.py | 5 +++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/server/app.py b/server/app.py
index ccd530069..e8aff2bfb 100644
--- a/server/app.py
+++ b/server/app.py
@@ -49,7 +49,10 @@ def healthcheck():
             if not check_bool:
                 failed_checks[check] = "Check failed :("
         except Exception as e:
-            failed_checks[check] = f"Check threw an exception: {e}"
+            e_str = str(e)
+            for secret in secrets.HEALTHCHECK_HIDE_SECRETS:
+                e_str.replace(secret, "HIDDEN")
+            failed_checks[check] = f"Check threw an exception: {e_str}"
 
     if len(failed_checks) == 0:
         return Response(body={
diff --git a/server/chalicelib/secrets.py b/server/chalicelib/secrets.py
index db5ddc3c2..b42b3e3e7 100644
--- a/server/chalicelib/secrets.py
+++ b/server/chalicelib/secrets.py
@@ -2,3 +2,8 @@
 
 MBTA_V2_API_KEY = os.environ.get("MBTA_V2_API_KEY", "")
 MBTA_V3_API_KEY = os.environ.get("MBTA_V3_API_KEY", "")
+
+HEALTHCHECK_HIDE_SECRETS = [
+    MBTA_V2_API_KEY,
+    MBTA_V3_API_KEY
+]