Build: obfuscate private variables (#12366)

humitos · stsewd · web-flow · commit 8e43dbadd77c · 2025-07-30T10:45:13.000+02:00
Replace the value of private variables with the first 4 chars of it and `****`. This is a protection to avoid leaking private variables by mistake. The same pattern is used in the dashboard when listing these variables. Closes readthedocs/readthedocs-corporate#2004 --------- Co-authored-by: Santos Gallegos <stsewd@proton.me>
diff --git a/readthedocs/doc_builder/environments.py b/readthedocs/doc_builder/environments.py
@@ -200,6 +200,8 @@ def sanitize_output(self, output: str) -> str:
             2. Chunk at around ``DATA_UPLOAD_MAX_MEMORY_SIZE`` bytes to be sent
                over the API call request
 
+            3. Obfuscate private environment variables.
+
         :param output: stdout/stderr to be sanitized
 
         :returns: sanitized output as string
@@ -232,6 +234,17 @@ def sanitize_output(self, output: str) -> str:
                 f"{truncated_output}"
             )
 
+        # Obfuscate private environment variables.
+        if self.build_env:
+            # NOTE: we can't use `self._environment` here because we don't know
+            # which variable is public/private since it's just a name/value
+            # dictionary. We need to check with the APIProject object (`self.build_env.project`).
+            for name, spec in self.build_env.project._environment_variables.items():
+                if not spec["public"]:
+                    value = spec["value"]
+                    obfuscated_value = f"{value[:4]}****"
+                    sanitized = sanitized.replace(value, obfuscated_value)
+
         return sanitized
 
     def get_command(self):
diff --git a/readthedocs/rtd_tests/tests/test_doc_building.py b/readthedocs/rtd_tests/tests/test_doc_building.py
@@ -8,6 +8,7 @@
 from django_dynamic_fixture import get
 from docker.errors import APIError as DockerAPIError
 
+from readthedocs.projects.models import APIProject
 from readthedocs.builds.models import Version
 from readthedocs.doc_builder.environments import (
     BuildCommand,
@@ -41,7 +42,7 @@ def test_record_command_as_success(self):
         api_client.command().patch.return_value = {
             "id": 1,
         }
-        project = get(Project)
+        project = APIProject(**get(Project).__dict__)
         build_env = LocalBuildEnvironment(
             project=project,
             build={
@@ -258,7 +259,7 @@ def test_missing_command(self):
 
     def test_output(self):
         """Test output command."""
-        project = get(Project)
+        project = APIProject(**get(Project).__dict__)
         api_client = mock.MagicMock()
         build_env = LocalBuildEnvironment(
             project=project,
@@ -310,6 +311,34 @@ def test_sanitize_output(self):
         for output, sanitized in checks:
             self.assertEqual(cmd.sanitize_output(output), sanitized)
 
+    def test_obfuscate_output_private_variables(self):
+        build_env = mock.MagicMock()
+        build_env.project = mock.MagicMock()
+        build_env.project._environment_variables = mock.MagicMock()
+        build_env.project._environment_variables.items.return_value = [
+            (
+                "PUBLIC",
+                {
+                    "public": True,
+                    "value": "public-value",
+                },
+            ),
+            (
+                "PRIVATE",
+                {
+                    "public": False,
+                    "value": "private-value",
+                },
+            ),
+        ]
+        cmd = BuildCommand(["/bin/bash", "-c", "echo"], build_env=build_env)
+        checks = (
+            ("public-value", "public-value"),
+            ("private-value", "priv****"),
+        )
+        for output, sanitized in checks:
+            self.assertEqual(cmd.sanitize_output(output), sanitized)
+
     @patch("subprocess.Popen")
     def test_unicode_output(self, mock_subprocess):
         """Unicode output from command."""
