Skip to content

Attempt to sanitize some configurations before we output them #988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
motus merged 14 commits into from
Jun 12, 2025
Merged

Attempt to sanitize some configurations before we output them #988

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
2449a63
Attempt to sanitize some configurations before we output them.
bpkroth Jun 2, 2025
fdd42f0
Update mlos_bench/mlos_bench/util.py
bpkroth Jun 2, 2025
88c7ac7
Update mlos_bench/mlos_bench/util.py
bpkroth Jun 2, 2025
a00841c
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Jun 2, 2025
a7473be
tests
bpkroth Jun 2, 2025
55034b5
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Jun 2, 2025
802f280
rename
bpkroth Jun 2, 2025
55ccf29
fixups
bpkroth Jun 2, 2025
b24c697
Merge branch 'main' into feature/avoid-logging-passwords
bpkroth Jun 5, 2025
e86bcfe
Fixup some broken links
bpkroth Jun 5, 2025
cb41300
mypy
bpkroth Jun 5, 2025
b57c927
mypy
bpkroth Jun 5, 2025
21b7e6d
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Jun 5, 2025
a541a8d
Merge branch 'main' into feature/avoid-logging-passwords
motus Jun 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions mlos_bench/mlos_bench/services/config_persistence.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
merge_parameters,
path_join,
preprocess_dynamic_configs,
sanitize_config,
)

if TYPE_CHECKING:
Expand Down Expand Up @@ -277,7 +278,7 @@ def prepare_class_load(
_LOG.debug(
"Instantiating: %s with config:\n%s",
class_name,
json5.dumps(class_config, indent=2),
json5.dumps(sanitize_config(class_config), indent=2),
)

return (class_name, class_config)
Expand Down Expand Up @@ -574,7 +575,13 @@ def build_service(
services from the list plus the parent mix-in.
"""
if _LOG.isEnabledFor(logging.DEBUG):
_LOG.debug("Build service from config:\n%s", json5.dumps(config, indent=2))
_LOG.debug(
"Build service from config:\n%s",
json5.dumps(
sanitize_config(config),
indent=2,
),
)

assert isinstance(config, dict)
config_list: list[dict[str, Any]]
Expand Down
67 changes: 67 additions & 0 deletions mlos_bench/mlos_bench/tests/test_sanitize_confs.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
#
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
#
"""
Unit tests for sanitize_conf utility function.

Tests cover obfuscation of sensitive keys and recursive sanitization.
"""
from mlos_bench.util import sanitize_config


def test_sanitize_config_simple() -> None:
"""Test sanitization of a simple configuration dictionary."""
config = {
"username": "user1",
"password": "mypassword",
"token": "abc123",
"api_key": "key",
"secret": "shh",
"other": 42,
}
sanitized = sanitize_config(config)
assert sanitized["username"] == "user1"
assert sanitized["password"] == "[REDACTED]"
assert sanitized["token"] == "[REDACTED]"
assert sanitized["api_key"] == "[REDACTED]"
assert sanitized["secret"] == "[REDACTED]"
assert sanitized["other"] == 42


def test_sanitize_config_nested() -> None:
"""Test sanitization of nested dictionaries."""
config = {
"outer": {
"password": "pw",
"inner": {"token": "tok", "foo": "bar"},
},
"api_key": "key",
}
sanitized = sanitize_config(config)
assert sanitized["outer"]["password"] == "[REDACTED]"
assert sanitized["outer"]["inner"]["token"] == "[REDACTED]"
assert sanitized["outer"]["inner"]["foo"] == "bar"
assert sanitized["api_key"] == "[REDACTED]"


def test_sanitize_config_no_sensitive_keys() -> None:
"""Test that no changes are made if no sensitive keys are present."""
config = {"foo": 1, "bar": {"baz": 2}}
sanitized = sanitize_config(config)
assert sanitized == config


def test_sanitize_config_mixed_types() -> None:
"""Test sanitization with mixed types including lists and dicts."""
config = {
"password": None,
"token": 123,
"secret": ["a", "b"],
"api_key": {"nested": "val"},
}
sanitized = sanitize_config(config)
assert sanitized["password"] == "[REDACTED]"
assert sanitized["token"] == "[REDACTED]"
assert sanitized["secret"] == "[REDACTED]"
assert sanitized["api_key"] == "[REDACTED]"
31 changes: 31 additions & 0 deletions mlos_bench/mlos_bench/util.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -462,3 +462,34 @@ def datetime_parser(
if new_datetime_col.le(_MIN_TS).any():
raise ValueError(f"Invalid date range in the data: {datetime_col}")
return new_datetime_col


def sanitize_config(config: dict[str, Any]) -> dict[str, Any]:
"""
Sanitize a configuration dictionary by obfuscating potentially sensitive keys.

Parameters
----------
config : dict
Configuration dictionary to sanitize.

Returns
-------
dict
Sanitized configuration dictionary.
"""
sanitize_keys = {"password", "secret", "token", "api_key"}

def recursive_sanitize(conf: dict[str, Any]) -> dict[str, Any]:
"""Recursively sanitize a dictionary."""
sanitized = {}
for k, v in conf.items():
if k in sanitize_keys:
sanitized[k] = "[REDACTED]"
elif isinstance(v, dict):
sanitized[k] = recursive_sanitize(v) # type: ignore[assignment]
else:
sanitized[k] = v
return sanitized

return recursive_sanitize(config)
Loading