Improves logging of environment variables

Fixes: #3542

Author: ssbarnea

docs/changelog/3542.bugfix.rst

@@ -0,0 +1,2 @@
+Improves logging of environment variables by sorting them by key and redacting
+the values for the ones that are likely to contain secrets.

src/tox/tox_env/api.py

@@ -31,22 +31,15 @@
     from tox.tox_env.installer import Installer
 
 LOGGER = logging.getLogger(__name__)
+# Based on original gitleaks rule named generic-api-key
+# See: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml#L587
 SECRET_ENV_VAR_REGEX = re.compile(
-    r"""(?ix)                              # case-insensitive, verbose mode
-    ^\s*                                   # optional leading whitespace
-    (?P<key>                               # capture group: key
-        (?:\w*(_)?)
-        (?:
-            (SECRET|TOKEN|KEY|PASSWORD|PWD|CRED|PRIVATE|AUTH|API)
-        )
-        (?:\w*)                             # allow variable prefixes/suffixes
-    )\s*=\s*                                # equal sign with optional spaces
-    (?P<value>                              # capture group: value
-        (['"])?                             # optional opening quote
-        ([A-Za-z0-9\-_]{12,})               # suspicious value (long, alphanumeric)
-        \1?                                 # optional closing quote matching opening
-    )
-    """
+    r"""(?ix)[\w.-]{0,50}?
+    (?:access|auth|(?-i:[Aa]pi|API)|credential|creds|key|passw(?:or)?d|secret|token)
+    (?:[ \t\w.-]{0,20})[\s'"]{0,3}
+    (?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}
+    ([\w.=-]{10,150}|[a-z0-9][a-z0-9+/]{11,}={0,3})
+    (?:[\x60'"\s;]|\\[nr]|$)"""
 )
 
 

tests/tox_env/test_api.py

@@ -39,9 +39,21 @@ def test_setenv_section_substitution(tox_project: ToxProjectCreator) -> None:
 
 
 @pytest.mark.parametrize(
-    ("key", "value", "expected"), [pytest.param("FOO", "bar", "bar"), pytest.param("GITHUB_TOKEN", "foo", "***")]
+    ("key", "do_redact"),
+    [
+        pytest.param("ACCESS_TOKEN", True),
+        pytest.param("API_KEY", True),
+        pytest.param("DB_PASSWORD", True),
+        pytest.param("FOO", False),
+        pytest.param("GITHUB_TOKEN", True),
+        pytest.param("NORMAL_VAR", False),
+        pytest.param("SECRET", True),
+    ],
 )
-def test_redact(key: str, value: str, expected: str) -> None:
+def test_redact(key: str, do_redact: bool) -> None:
     """Ensures that redact_value works as expected."""
-    result = redact_value(key, value)
-    assert result == expected
+    result = redact_value(key, "foo")
+    if do_redact:
+        assert result == "***"
+    else:
+        assert result == "foo"