Improve logging of environment variables

ssbarnea · ssbarnea · commit f39abe35e06b · 2025-06-03T10:23:42.000+01:00
Fixes: #3542
diff --git a/src/tox/tox_env/api.py b/src/tox/tox_env/api.py
@@ -31,6 +31,30 @@
     from tox.tox_env.installer import Installer
 
 LOGGER = logging.getLogger(__name__)
+SECRET_ENV_VAR_REGEX = re.compile(
+    r"""(?ix)                              # case-insensitive, verbose mode
+    ^\s*                                   # optional leading whitespace
+    (?P<key>                               # capture group: key
+        (?:\w*(_)?)
+        (?:
+            (SECRET|TOKEN|KEY|PASSWORD|PWD|CRED|PRIVATE|AUTH|API)
+        )
+        (?:\w*)                             # allow variable prefixes/suffixes
+    )\s*=\s*                                # equal sign with optional spaces
+    (?P<value>                              # capture group: value
+        (['"])?                             # optional opening quote
+        ([A-Za-z0-9\-_]{12,})               # suspicious value (long, alphanumeric)
+        \1?                                 # optional closing quote matching opening
+    )
+    """
+)
+
+
+def redact_value(name: str, value: str) -> str:
+    """Returns a redacted text if the key name looks like a secret."""
+    if SECRET_ENV_VAR_REGEX.match(name):
+        return "*" * len(value)
+    return value
 
 
 class ToxEnvCreateArgs(NamedTuple):
@@ -461,8 +485,8 @@ def _write_execute_log(env_name: str, log_file: Path, request: ExecuteRequest, s
         with log_file.open("wt", encoding="utf-8") as file:
             file.write(f"name: {env_name}\n")
             file.write(f"run_id: {request.run_id}\n")
-            for env_key, env_value in request.env.items():
-                file.write(f"env {env_key}: {env_value}\n")
+            for env_key, env_value in sorted(request.env.items()):
+                file.write(f"env {env_key}: {redact_value(name=env_key, value=env_value)}\n")
             for meta_key, meta_value in status.metadata.items():
                 file.write(f"metadata {meta_key}: {meta_value}\n")
             file.write(f"cwd: {request.cwd}\n")
diff --git a/tests/tox_env/test_api.py b/tests/tox_env/test_api.py
@@ -2,6 +2,10 @@
 
 from typing import TYPE_CHECKING
 
+import pytest
+
+from tox.tox_env.api import redact_value
+
 if TYPE_CHECKING:
     from pathlib import Path
 
@@ -32,3 +36,12 @@ def test_setenv_section_substitution(tox_project: ToxProjectCreator) -> None:
     project = tox_project({"tox.ini": ini})
     result = project.run()
     result.assert_success()
+
+
+@pytest.mark.parametrize(
+    ("key", "value", "expected"), [pytest.param("FOO", "bar", "bar"), pytest.param("GITHUB_TOKEN", "foo", "***")]
+)
+def test_redact(key: str, value: str, expected: str) -> None:
+    """Ensures that redact_value works as expected."""
+    result = redact_value(key, value)
+    assert result == expected
