Files
wehub-resource-sync 7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:08:55 +08:00

267 lines
9.8 KiB
Python

"""Regression tests for in-scope API-key redaction in factory exception logs.
A third-party review of issue #4183 found that ``create_search_engine`` and
``_create_full_search_wrapper`` called ``redact_secrets(str(e))`` with NO
secret arguments. ``redact_secrets`` does literal-substring replacement, so
with an empty secret list it's a no-op: an exception message echoing the
API key (e.g. a constructor validation error) survived into logs verbatim.
The fix passes the in-scope key(s) — ``api_key`` in ``create_search_engine``,
and ``api_key`` / ``serpapi_api_key`` from ``wrapper_params`` in
``_create_full_search_wrapper`` — and wraps with ``sanitize_error_message``
for the shape-based pass too.
These tests use a credential with NO distinctive prefix (not ``sk-``, not
``AIza``, etc.) so that ``sanitize_error_message``'s regexes won't catch it
on shape alone — proving the literal-substring pass is what closes the leak.
The factory logs these failures via the diagnose-gated
``security.secure_logging`` wrapper at ERROR level; the levelname
assertions below guard against a re-downgrade to WARNING.
"""
from unittest.mock import Mock, patch
import pytest
from local_deep_research.web_search_engines.search_engine_factory import (
_create_full_search_wrapper,
)
FACTORY_MODULE = "local_deep_research.web_search_engines.search_engine_factory"
# 24 chars, no sk-/pk-/AIza/ghp_ prefix — survives sanitize_error_message,
# so only the literal redact_secrets(..., api_key) pass catches it.
_BARE_KEY = "test-brave-key-XYZ789"
class _RaisingWrapperBrave:
"""Mock full-search wrapper whose init echoes the brave api_key."""
def __init__(self, api_key=None, **kwargs):
raise ValueError(f"Brave wrapper rejected key: {api_key}")
class _RaisingWrapperSerpAPI:
"""Mock full-search wrapper whose init echoes the serpapi key."""
def __init__(self, serpapi_api_key=None, **kwargs):
raise ValueError(f"SerpAPI wrapper rejected key: {serpapi_api_key}")
@pytest.fixture(autouse=True)
def _bypass_engine_pdp():
"""Bypass the egress PEP so mock engine names aren't rejected.
The PEP itself is exercised in tests/security/test_egress_policy.py.
"""
from local_deep_research.security.egress.policy import Decision
with (
patch(
"local_deep_research.security.egress.policy.evaluate_engine",
return_value=Decision(True, "test_bypass"),
),
patch(
"local_deep_research.security.egress.policy.evaluate_retriever",
return_value=Decision(True, "test_bypass"),
),
):
yield
class TestCreateSearchEngineRedactsApiKey:
def test_constructor_exception_does_not_leak_api_key(self, loguru_caplog):
"""``api_key`` resolved from settings must be literal-redacted."""
from local_deep_research.web_search_engines.search_engine_factory import (
create_search_engine,
)
class _RaisingEngine:
def __init__(self, api_key=None, **kwargs):
raise ValueError(f"Bad key received: {api_key}")
settings_snapshot = {
"search.engine.web.test_engine.api_key": {"value": _BARE_KEY}
}
with (
patch(f"{FACTORY_MODULE}.retriever_registry") as mock_registry,
patch(f"{FACTORY_MODULE}.search_config") as mock_config,
patch(
f"{FACTORY_MODULE}.get_safe_module_class",
return_value=_RaisingEngine,
),
):
mock_registry.get.return_value = None
mock_config.return_value = {
"test_engine": {
"module_path": ".engines.test",
"class_name": "TestEngine",
"requires_api_key": True,
}
}
with loguru_caplog.at_level("ERROR"):
result = create_search_engine(
engine_name="test_engine",
settings_snapshot=settings_snapshot,
)
assert result is None
assert _BARE_KEY not in loguru_caplog.text
assert "Bad key received" in loguru_caplog.text
assert "***REDACTED***" in loguru_caplog.text
# Regression guard: the factory failure must stay at ERROR, not be
# re-downgraded to WARNING. Filter by message so an unrelated
# record can't satisfy (or break) the assertion.
matching = [
r
for r in loguru_caplog.records
if "Bad key received" in r.getMessage()
]
assert matching
assert all(r.levelname == "ERROR" for r in matching)
class TestCreateFullSearchWrapperRedactsKeys:
def test_brave_wrapper_exception_does_not_leak_api_key(self, loguru_caplog):
base_engine = Mock()
engine_config = {
"full_search_module": ".engines.full_search",
"full_search_class": "FullSearchResults",
}
settings_snapshot = {
"search.engine.web.brave.api_key": {"value": _BARE_KEY}
}
with patch(
f"{FACTORY_MODULE}.get_safe_module_class",
return_value=_RaisingWrapperBrave,
):
with loguru_caplog.at_level("ERROR"):
result = _create_full_search_wrapper(
"brave",
base_engine,
engine_config,
Mock(),
{},
settings_snapshot=settings_snapshot,
)
assert result is base_engine
assert _BARE_KEY not in loguru_caplog.text
assert "Brave wrapper rejected key" in loguru_caplog.text
assert "***REDACTED***" in loguru_caplog.text
matching = [
r
for r in loguru_caplog.records
if "Brave wrapper rejected key" in r.getMessage()
]
assert matching
assert all(r.levelname == "ERROR" for r in matching)
def test_serpapi_wrapper_exception_does_not_leak_key(self, loguru_caplog):
base_engine = Mock()
engine_config = {
"full_search_module": ".engines.full_search",
"full_search_class": "FullSearchResults",
}
settings_snapshot = {
"search.engine.web.serpapi.api_key": {"value": _BARE_KEY}
}
with patch(
f"{FACTORY_MODULE}.get_safe_module_class",
return_value=_RaisingWrapperSerpAPI,
):
with loguru_caplog.at_level("ERROR"):
result = _create_full_search_wrapper(
"serpapi",
base_engine,
engine_config,
Mock(),
{},
settings_snapshot=settings_snapshot,
)
assert result is base_engine
assert _BARE_KEY not in loguru_caplog.text
assert "SerpAPI wrapper rejected key" in loguru_caplog.text
assert "***REDACTED***" in loguru_caplog.text
matching = [
r
for r in loguru_caplog.records
if "SerpAPI wrapper rejected key" in r.getMessage()
]
assert matching
assert all(r.levelname == "ERROR" for r in matching)
class TestHoistedApiKeyHandlesNoKeyRequiredEngines:
def test_no_key_required_engine_exception_does_not_nameerror(
self, loguru_caplog
):
"""``api_key = None`` hoist must keep the scrub call safe on the
no-key path.
Before the hoist, ``api_key`` was only bound inside
``if requires_api_key:``. The except handler at the end of
``create_search_engine`` references ``api_key`` unconditionally —
so a constructor exception for a ``requires_api_key=False`` engine
would have raised ``NameError`` instead of logging the fallback
error. This test pins the hoist: the error log fires and the
engine returns ``None``.
"""
class _RaisingEngineNoKey:
def __init__(self, **kwargs):
raise RuntimeError("engine init blew up")
from local_deep_research.web_search_engines.search_engine_factory import (
create_search_engine,
)
# Non-empty snapshot — the factory rejects empty/falsy snapshots in
# thread context. The engine_config mock below is what actually
# drives the requires_api_key=False path; the snapshot just needs to
# be truthy to clear the thread-context guard.
settings_snapshot = {"_test_marker": True}
with (
patch(f"{FACTORY_MODULE}.retriever_registry") as mock_registry,
patch(f"{FACTORY_MODULE}.search_config") as mock_config,
patch(
f"{FACTORY_MODULE}.get_safe_module_class",
return_value=_RaisingEngineNoKey,
),
):
mock_registry.get.return_value = None
mock_config.return_value = {
"test_engine_no_key": {
"module_path": ".engines.test",
"class_name": "TestEngineNoKey",
"requires_api_key": False,
}
}
with loguru_caplog.at_level("ERROR"):
result = create_search_engine(
engine_name="test_engine_no_key",
settings_snapshot=settings_snapshot,
)
assert result is None
# The error log fired (no NameError swallowed it) and carries the
# exception message — tie them together so the assertion can't
# false-pass on an unrelated ERROR line.
assert any(
"Failed to create search engine" in line
and "engine init blew up" in line
for line in loguru_caplog.text.splitlines()
)
matching = [
r
for r in loguru_caplog.records
if "engine init blew up" in r.getMessage()
]
assert matching
assert all(r.levelname == "ERROR" for r in matching)