Attempt to sanitize some configurations before we output them (#988)

bpkroth · Copilot · pre-commit-ci[bot] · web-flow · commit 3111f9be483e · 2025-06-12T01:26:40.000Z
# Pull Request ## Title Attempt to sanitize some configurations before we output them ______________________________________________________________________ ## Description Address some code scanning complaints and try to sanitize some configs before outputing them. > Note: this is not meant as a complete fix for those warnings, but only a start. We can fix more locations using `sanitize_config` in the future prior to printing. ______________________________________________________________________ ## Type of Change - 🛠️ Bug fix ______________________________________________________________________ ## Testing - Security scans and other usual CI ______________________________________________________________________ ## Additional Notes Also includes link fixes from #989 ______________________________________________________________________ --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Sergiy Matusevych <sergiym@microsoft.com>
diff --git a/mlos_bench/mlos_bench/services/config_persistence.py b/mlos_bench/mlos_bench/services/config_persistence.py
@@ -33,6 +33,7 @@
     merge_parameters,
     path_join,
     preprocess_dynamic_configs,
+    sanitize_config,
 )
 
 if TYPE_CHECKING:
@@ -277,7 +278,7 @@ def prepare_class_load(
             _LOG.debug(
                 "Instantiating: %s with config:\n%s",
                 class_name,
-                json5.dumps(class_config, indent=2),
+                json5.dumps(sanitize_config(class_config), indent=2),
             )
 
         return (class_name, class_config)
@@ -574,7 +575,13 @@ def build_service(
             services from the list plus the parent mix-in.
         """
         if _LOG.isEnabledFor(logging.DEBUG):
-            _LOG.debug("Build service from config:\n%s", json5.dumps(config, indent=2))
+            _LOG.debug(
+                "Build service from config:\n%s",
+                json5.dumps(
+                    sanitize_config(config),
+                    indent=2,
+                ),
+            )
 
         assert isinstance(config, dict)
         config_list: list[dict[str, Any]]
diff --git a/mlos_bench/mlos_bench/tests/test_sanitize_confs.py b/mlos_bench/mlos_bench/tests/test_sanitize_confs.py
@@ -0,0 +1,67 @@
+#
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+#
+"""
+Unit tests for sanitize_conf utility function.
+
+Tests cover obfuscation of sensitive keys and recursive sanitization.
+"""
+from mlos_bench.util import sanitize_config
+
+
+def test_sanitize_config_simple() -> None:
+    """Test sanitization of a simple configuration dictionary."""
+    config = {
+        "username": "user1",
+        "password": "mypassword",
+        "token": "abc123",
+        "api_key": "key",
+        "secret": "shh",
+        "other": 42,
+    }
+    sanitized = sanitize_config(config)
+    assert sanitized["username"] == "user1"
+    assert sanitized["password"] == "[REDACTED]"
+    assert sanitized["token"] == "[REDACTED]"
+    assert sanitized["api_key"] == "[REDACTED]"
+    assert sanitized["secret"] == "[REDACTED]"
+    assert sanitized["other"] == 42
+
+
+def test_sanitize_config_nested() -> None:
+    """Test sanitization of nested dictionaries."""
+    config = {
+        "outer": {
+            "password": "pw",
+            "inner": {"token": "tok", "foo": "bar"},
+        },
+        "api_key": "key",
+    }
+    sanitized = sanitize_config(config)
+    assert sanitized["outer"]["password"] == "[REDACTED]"
+    assert sanitized["outer"]["inner"]["token"] == "[REDACTED]"
+    assert sanitized["outer"]["inner"]["foo"] == "bar"
+    assert sanitized["api_key"] == "[REDACTED]"
+
+
+def test_sanitize_config_no_sensitive_keys() -> None:
+    """Test that no changes are made if no sensitive keys are present."""
+    config = {"foo": 1, "bar": {"baz": 2}}
+    sanitized = sanitize_config(config)
+    assert sanitized == config
+
+
+def test_sanitize_config_mixed_types() -> None:
+    """Test sanitization with mixed types including lists and dicts."""
+    config = {
+        "password": None,
+        "token": 123,
+        "secret": ["a", "b"],
+        "api_key": {"nested": "val"},
+    }
+    sanitized = sanitize_config(config)
+    assert sanitized["password"] == "[REDACTED]"
+    assert sanitized["token"] == "[REDACTED]"
+    assert sanitized["secret"] == "[REDACTED]"
+    assert sanitized["api_key"] == "[REDACTED]"
diff --git a/mlos_bench/mlos_bench/util.py b/mlos_bench/mlos_bench/util.py
@@ -462,3 +462,34 @@ def datetime_parser(
     if new_datetime_col.le(_MIN_TS).any():
         raise ValueError(f"Invalid date range in the data: {datetime_col}")
     return new_datetime_col
+
+
+def sanitize_config(config: dict[str, Any]) -> dict[str, Any]:
+    """
+    Sanitize a configuration dictionary by obfuscating potentially sensitive keys.
+
+    Parameters
+    ----------
+    config : dict
+        Configuration dictionary to sanitize.
+
+    Returns
+    -------
+    dict
+        Sanitized configuration dictionary.
+    """
+    sanitize_keys = {"password", "secret", "token", "api_key"}
+
+    def recursive_sanitize(conf: dict[str, Any]) -> dict[str, Any]:
+        """Recursively sanitize a dictionary."""
+        sanitized = {}
+        for k, v in conf.items():
+            if k in sanitize_keys:
+                sanitized[k] = "[REDACTED]"
+            elif isinstance(v, dict):
+                sanitized[k] = recursive_sanitize(v)  # type: ignore[assignment]
+            else:
+                sanitized[k] = v
+        return sanitized
+
+    return recursive_sanitize(config)
