Redact secrets when logging config and warn user when changing categories

pyproject.toml

@@ -52,6 +52,7 @@ dependencies = [
 	"mdx-gh-links==0.4",
 	"l2m4m==1.0.4",
 	"pymdown-extensions==10.17.1",
+	"detect-secrets==1.5.0",
 ]
 
 [project.urls]

source/config/__init__.py

@@ -604,7 +604,7 @@ def _loadConfig(self, fn, fileError=False):
 			profileUpgrader.upgrade(profile, self.validator, writeProfileFunc)
 		except Exception as e:
 			# Log at level info to ensure that the profile is logged.
-			log.info("Config before schema update:\n%s" % profileCopy, exc_info=False)
+			log.info("Config before schema update:\n%s" % profileCopy, exc_info=False, redactSecrets=True)
 			raise e
 		# since profile settings are not yet imported we have to "peek" to see
 		# if debug level logging is enabled.
@@ -618,6 +618,7 @@ def _loadConfig(self, fn, fileError=False):
 				"Config loaded (after upgrade, and in the state it will be used by NVDA):\n{0}".format(
 					profile,
 				),
+				redactSecrets=True,
 			)
 		return profile
 

source/logHandler.py

@@ -233,15 +233,30 @@ class Logger(logging.Logger):
 
 	def _log(
 		self,
-		level,
-		msg,
+		level: int,
+		msg: str,
 		args,
-		exc_info=None,
-		extra=None,
-		codepath=None,
-		activateLogViewer=False,
-		stack_info=None,
+		exc_info: _excInfo_t | Literal[True] | BaseException = None,
+		extra: dict | None = None,
+		codepath: str | None = None,
+		activateLogViewer: bool = False,
+		stack_info: list[traceback.FrameSummary] | bool | None = None,
+		redactSecrets: bool = False,
 	):
+		"""Logs a message with the given severity level.
+
+		:param level: The severity level of the log message.
+		:param msg: The log message, which may contain format specifiers that will be replaced by the values in `args`.
+		:param args: The arguments to be merged into `msg` using the `%` operator for string formatting.
+		:param exc_info: Exception information to be logged, defaults to None
+		:param extra: Additional information to be logged, defaults to None
+		:param codepath: The code path where the log was generated, defaults to None
+		:param activateLogViewer: Whether to activate the log viewer, defaults to False
+		:param stack_info: Stack information to be logged, defaults to None
+		:param redactSecrets: Whether to check for and redact secrets in the log message, defaults to False
+		:return: The result of the logging operation
+		"""
+
 		if not extra:
 			extra = {}
 
@@ -273,7 +288,20 @@ def _log(
 				"".join(traceback.format_list(stack_info)).rstrip(),
 			)
 
-		res = super()._log(level, msg, args, exc_info, extra)
+		if redactSecrets:
+			from detect_secrets.core.scan import scan_line
+			from detect_secrets.settings import default_settings
+
+			formattedMsg = msg % args if args else msg
+
+			with default_settings():
+				for secret in list(scan_line(formattedMsg)):
+					formattedMsg = formattedMsg.replace(secret.secret_value, "****")
+
+			res = super()._log(level, formattedMsg, (), exc_info, extra)
+
+		else:
+			res = super()._log(level, msg, args, exc_info, extra)
 
 		if activateLogViewer:
 			# Make the log text we just wrote appear in the log viewer.

source/setup.py

@@ -319,6 +319,8 @@ def _genManifestTemplate(shouldHaveUIAccess: bool) -> tuple[int, int, bytes]:
 			"mdx_truly_sane_lists",
 			"mdx_gh_links",
 			"pymdownx",
+			# Force as only import is scoped in a function.
+			"detect_secrets",
 		],
 		"includes": [
 			"nvdaBuiltin",

user_docs/en/changes.md

@@ -70,6 +70,10 @@ Please refer to [the developer guide](https://download.nvaccess.org/documentatio
   * uv to 0.11.4. (#19548, #19908)
   * Requests to 2.33.0. (#19877)
   * cryptography to 46.0.6. (#19877)
+* A new parameter `redactSecrets` has been added to logging functions e.g. `log.debug`. (#19966)
+  * When set to `True`, logging output will be sanitized to replace detected secrets with asterisks.
+  * This is set to `False` by default for performance purposes.
+  * It is encouraged to enable this when logging anything particularly sensitive e.g. clipboard content.
 * NVDA libraries built by the build system are now linked with the [/SETCOMPAT](https://learn.microsoft.com/en-us/cpp/build/reference/cetcompat) flag, improving protection against certain malware attacks. (#19435, @LeonarddeR)
 * Subclasses of `browseMode.BrowseModeDocumentTreeInterceptor` that support screen layout being on and off should override the `_toggleScreenLayout` method, rather than implementing `script_toggleScreenLayout` directly. (#19487)
 * A new method has been added to the UIA.UIA class, called `_getUIACacheablePropertyValue_handleCOMErrors`. (#19646, @Emil-18)