commit 00c3e7db1e35106d6e0cc33b7a25b43ea53a8afe
parent fe6e575b3352b2d33082b5bd3b0a94ac74394b18
Author: andrewlaack-collab <andrew.laack@imbue.com>
Date: Wed, 11 Feb 2026 00:39:16 +0000
Ensure secrets are never leaked via stack traces (#52)
* Remving dead code
* Removed secret logging dead code
Diffstat:
2 files changed, 1 insertion(+), 63 deletions(-)
diff --git a/vet/git.py b/vet/git.py
@@ -62,7 +62,6 @@ class SyncLocalGitRepo:
self,
command: Sequence[str],
check: bool = True,
- secrets: dict[str, str] | None = None,
cwd: AnyPath | None = None,
is_error_logged: bool = True,
) -> str:
@@ -72,7 +71,7 @@ class SyncLocalGitRepo:
"""
command_string = shlex.join(command)
logger.trace(
- f"Running command: {command_string=} from cwd={cwd or self.base_path} with {secrets=} {check=} {is_error_logged=}"
+ f"Running command: {command_string=} from cwd={cwd or self.base_path} with {check=} {is_error_logged=}"
)
completed_proc = subprocess.run(
command,
@@ -80,7 +79,6 @@ class SyncLocalGitRepo:
stdin=subprocess.DEVNULL,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
- env=secrets,
)
# note, need to be carefull not to strip() lines since whitespace may be important (e.g. for diffs)
# return joined lines since mostly we only use the output for logging, and this way we arn't
diff --git a/vet/imbue_core/secrets_utils.py b/vet/imbue_core/secrets_utils.py
@@ -1,64 +1,4 @@
import os
-import pathlib
-
-from pydantic import SecretStr
-
-
-class Secret(SecretStr):
- """Pydantic-aware secret wrapper that hides values in logs."""
-
- def __str__(self) -> str:
- return "[redacted]"
-
- __repr__ = __str__
-
- def unwrap(self) -> str:
- return self.get_secret_value()
-
-
-class YouAreBeingTooFancyInYourSettingsFile(Exception):
- pass
-
-
-def parse_secrets_file(filepath: str | pathlib.Path) -> dict[str, str]:
- """Parse bashenv_secrets.sh-style file into a dict.
- We should REALLY NOT BE DOING THIS EVER but unfortunately that's not the case so at least let's only do it once here
-
- Not a great parser; will break in probably many scenarios but end-of-line comments are one that comes to mind
- """
- out: dict[str, str] = {}
- with open(filepath) as f:
- for line in f:
- if "$" in line:
- raise YouAreBeingTooFancyInYourSettingsFile(
- "Yeah, don't do that. This .sh file is meant to be simple definitions, it should not use any features of bash or sh, including string interpolation via $"
- )
- if "#" in line:
- if not line.startswith("#"):
- raise YouAreBeingTooFancyInYourSettingsFile("Put comments at the start of the line")
- continue
- if "\\" in line:
- raise YouAreBeingTooFancyInYourSettingsFile("No line continuations or other character escapes allowed")
- if line.startswith("export "):
- k, v = line.strip("export ").strip().split("=", maxsplit=1)
- k = k.strip()
- if k != k.upper():
- raise YouAreBeingTooFancyInYourSettingsFile(f"Key {k} must be uppercase")
- v = v.strip()
- if v.startswith('"'):
- if not v.endswith('"'):
- raise YouAreBeingTooFancyInYourSettingsFile(f"Value {v} must end with a double quote")
- v = v[1:-1]
- if v.startswith("'"):
- if not v.endswith("'"):
- raise YouAreBeingTooFancyInYourSettingsFile(f"Value {v} must end with a single quote")
- v = v[1:-1]
- out[k] = v
- elif line.strip():
- raise YouAreBeingTooFancyInYourSettingsFile(
- f"All lines must start with 'export ', but this line did not: {line}"
- )
- return out
def get_secret(secret_name: str) -> str | None:
