Fix when no secret exists + revamp

cbeauchesne · cbeauchesne · commit c388a6e4c8b3 · 2025-01-20T15:31:24.000+01:00
diff --git a/utils/proxy/scrubber.py b/utils/proxy/scrubber.py
@@ -10,45 +10,32 @@
 _name_filter = re.compile(r"key|token|secret|pass|docker_login", re.IGNORECASE)
 
 
-def _get_secrets_str() -> tuple[list[str], str]:
+def _get_secrets() -> list[str]:
     secrets: list = [
-        value for name, value in os.environ.items() if value and name not in _not_secrets and _name_filter.search(name)
-    ]
-    redacted = "<redacted>"
-    return secrets, redacted
-
-
-def _get_secrets_bytes() -> tuple[list[bytes], bytes]:
-    secrets: list = [
-        value.encode()
+        value.strip()
         for name, value in os.environ.items()
-        if value and name not in _not_secrets and _name_filter.search(name)
+        if value.strip() and name not in _not_secrets and _name_filter.search(name)
     ]
-    redacted = b"<redacted>"
+    return secrets
 
-    return secrets, redacted
 
-
-def _instrument_write_methods_str(f) -> None:
-    # get list of secrets at each call, because environ may be updated
+def _instrument_write_methods_str(f, secrets: list[str]) -> None:
     original_write = f.write
-    secrets, redacted = _get_secrets_str()
     secret_regex = re.compile("|".join(re.escape(s) for s in secrets))
 
     def write(data):
-        data = re.sub(secret_regex, redacted, data)
+        data = re.sub(secret_regex, "<redacted>", data)
         original_write(data)
 
     f.write = write
 
 
-def _instrument_write_methods_bytes(f) -> None:
+def _instrument_write_methods_bytes(f, secrets: list[str]) -> None:
     original_write = f.write
-    secrets, redacted = _get_secrets_bytes()
-    secret_regex = re.compile(b"|".join(re.escape(s) for s in secrets))
+    secret_regex = re.compile(b"|".join(re.escape(s.encode()) for s in secrets))
 
     def write(data):
-        data = re.sub(secret_regex, redacted, data)
+        data = re.sub(secret_regex, b"<redacted>", data)
         original_write(data)
 
     f.write = write
@@ -57,11 +44,14 @@ def write(data):
 def _instrumented_open(file, mode="r", *args, **kwargs):  # noqa: ANN002
     f = _original_open(file, mode, *args, **kwargs)
 
-    if "w" in mode or "a" in mode:
+    # get list of secrets at each call, because environ may be updated
+    secrets = _get_secrets()
+
+    if ("w" in mode or "a" in mode) and len(secrets) > 0:
         if "b" in mode:
-            _instrument_write_methods_bytes(f)
+            _instrument_write_methods_bytes(f, secrets)
         else:
-            _instrument_write_methods_str(f)
+            _instrument_write_methods_str(f, secrets)
 
     return f
 
