Improved test and added default exclude regexes from known web-tokens

Crivella · Crivella · commit 2f8a1aa62a80 · 2025-05-16T15:22:33.000+02:00
diff --git a/easybuild/tools/testing.py b/easybuild/tools/testing.py
@@ -37,6 +37,7 @@
 """
 import copy
 import os
+import re
 import sys
 from datetime import datetime
 from time import gmtime, strftime
@@ -59,6 +60,34 @@
 _log = fancylogger.getLogger('testing', fname=False)
 
 _exclude_env_from_report = []
+DEFAULT_EXCLUDE_FROM_REPORT_RGX = [
+    # From PR comments https://github.com/easybuilders/easybuild-framework/pull/4877
+    r'AKIA[0-9A-Z]{16}',  # AWS access key
+    r'[A-Za-z0-9/+=]{40}',  # AWS secret key
+    r'eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+',  # JWT token
+    r'gh[pousr]_[A-Za-z0-9_]{36,}',  # GitHub token
+    r'xox[baprs]-[A-Za-z0-9-]+',  # Slack token
+
+    # https://github.com/odomojuli/regextokens
+    r'^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$',  # Base64
+    r'[1-9][0-9]+-[0-9a-zA-Z]{40}',  # Twitter token
+    r'EAACEdEose0cBA[0-9A-Za-z]+',  # Facebook token
+    r'[0-9a-fA-F]{7}.[0-9a-fA-F]{32}',  # Instagram token
+    r'AIza[0-9A-Za-z-_]{35}',  # Google API key
+    r'4/[0-9A-Za-z-_]+',  # Google OAuth 2.0 Auth code
+    r'ya29.[0-9A-Za-z-_]+',  # Google OAuth 2.0 access token
+    r'[rs]k_live_[0-9a-z]{32}',  # Picatic/Stripe API key
+    r'sqOatp-[0-9A-Za-z-_]{22}',  # Square Access token
+    r'access_token,production$[0-9a-z]{161[0-9a,]{32}',  # PayPal token
+    r'55[0-9a-fA-F]{32}',  # Twilio token
+    r'key-[0-9a-zA-Z]{32}',  # Mailgun API key
+    r'[0-9a-f]{32}-us[0-9]{1,2}',  # Mailchimp API key
+    r'[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}',  # Google Cloud Oauth 2.0 token
+    r'[A-Za-z0-9_]{21}--[A-Za-z0-9_]{8}',  # Google Cloud API key
+    r'[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}',  # Heroku token
+    r'sk-(.*-)?[A-Za-z0-9]{20}T3BlbkFJ[A-Za-z0-9]{20}',  # OpenAI API key
+    r'waka_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}',  # WakaTime API key
+]
 
 
 def regtest(easyconfig_paths, modtool, build_specs=None):
@@ -282,8 +311,10 @@ def create_test_report(msg, ecs_with_res, init_session_state, pr_nrs=None, gist_
     for key in sorted(environ_dump.keys()):
         if env_filter is not None and env_filter.search(key):
             continue
-        else:
-            environment += ["%s = %s" % (key, environ_dump[key])]
+        value = environ_dump[key]
+        if any(re.match(rgx, value) for rgx in DEFAULT_EXCLUDE_FROM_REPORT_RGX):
+            continue
+        environment += ["%s = %s" % (key, value)]
 
     environment = list(filter(
         lambda x: not any(y in x.upper() for y in _exclude_env_from_report),
diff --git a/test/framework/github.py b/test/framework/github.py
@@ -1318,42 +1318,75 @@ def test_github_create_test_report(self):
                 'log_file': logfile,
             }),
         ]
-        test_remove_name = 'REMOVEME'
-        test_remove_val = 'test-abc'
+        environ = {
+            'USER': 'test',
+            'DONT_REMOVE_ME': 'test-123',
+        }
+        JWT_HDR = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9'
+        JWT_PLD = 'eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNzA4MzQ1MTIzLCJleHAiOjE3MDgzNTUxMjN9'
+        JWT_SIG = 'SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
+        secret_environ = {
+            'REMOVEME': 'test-abc',
+            'ReMoVeMe2': 'TeSt-xyz',
+
+            'AWS_ACCESS_KEY': 'AKIAIOSFODNN7EXAMPLE',
+            'AWS_SECRET_KEY': 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
+            'JWT': '.'.join([JWT_HDR, JWT_PLD, JWT_SIG]),
+            'GH_TOKEN': 'ghp_123456789_ABCDEFGHIJKlmnopqrstuvwxyz',
+            'SLACK_TOKEN': 'xoxb-1234567890-1234567890123-ABCDEFabcdef',
+        }
         init_session_state = {
             'easybuild_configuration': ['EASYBUILD_DEBUG=1'],
-            'environment': {
-                'USER': 'test',
-                test_remove_name: test_remove_val,
-            },
+            'environment': {**environ, **secret_environ},
             'module_list': [{'mod_name': 'test'}],
             'system_info': {'name': 'test'},
             'time': gmtime(0),
         }
 
         # Test exclude_env_from_report_add/clear
-        exclude_env_from_report_add(test_remove_name.lower())  # Also check that the name is uppercased in the check
+        exclude_env_from_report_add('REMOVEME'.lower())  # Also check that the name is uppercased in the check
 
         res = create_test_report("just a test", ecs_with_res, init_session_state)
         patterns = [
             "**SUCCESS** _test.eb_",
             "**FAIL (build issue)** _fail.eb_",
             "01 Jan 1970 00:00:00",
             "EASYBUILD_DEBUG=1",
+            "DONT_REMOVE_ME = test-123",
         ]
         for pattern in patterns:
             self.assertIn(pattern, res['full'])
-        self.assertNotIn(test_remove_name, res['full'])
+
+        # Test that excluded patterns works by matching also partial strings
+        exclude_patterns1 = [
+            'REMOVEME',
+            'ReMoVeMe2',
+        ]
+        # Test that known token regexes for ENV vars are excluded by default
+        exclude_patterns2 = [
+            'AWS_ACCESS_KEY',
+            'AWS_SECRET_KEY',
+            'JWT',
+            'GH_TOKEN',
+            'SLACK_TOKEN',
+        ]
+        for pattern in exclude_patterns1 + exclude_patterns2:
+            # .lower() test that variable name is not case sensitive for excluding
+            self.assertNotIn(pattern.lower(), res['full'])
 
         exclude_env_from_report_clear()
+        patterns += exclude_patterns1
 
         res = create_test_report("just a test", ecs_with_res, init_session_state)
-        patterns.append(f"{test_remove_name} = {test_remove_val}")
         for pattern in patterns:
             self.assertIn(pattern, res['full'])
 
         for pattern in patterns[:2]:
-            self.assertIn(pattern, res['full'])
+            self.assertIn(pattern, res['overview'])
+
+        for pattern in exclude_patterns2:
+            # .lower() test that variable name is not case sensitive for excluding
+            self.assertNotIn(pattern.lower(), res['full'])
 
         # mock create_gist function, we don't want to actually create a gist every time we run this test...
         def fake_create_gist(*args, **kwargs):
@@ -1371,7 +1404,7 @@ def fake_create_gist(*args, **kwargs):
             self.assertIn(pattern, res['full'])
 
         for pattern in patterns[:3]:
-            self.assertIn(pattern, res['full'])
+            self.assertIn(pattern, res['overview'])
 
         self.assertIn("**SUCCESS** _test.eb_", res['overview'])
 
