Codex Handbook
secrets/src/sanitizer.rs 41 lines
use regex::Regex;use std::sync::LazyLock;static OPENAI_KEY_REGEX: LazyLock<Regex> = LazyLock::new(|| compile_regex(r"sk-[A-Za-z0-9]{20,}"));static AWS_ACCESS_KEY_ID_REGEX: LazyLock<Regex> =    LazyLock::new(|| compile_regex(r"\bAKIA[0-9A-Z]{16}\b"));static BEARER_TOKEN_REGEX: LazyLock<Regex> =    LazyLock::new(|| compile_regex(r"(?i)\bBearer\s+[A-Za-z0-9._\-]{16,}\b"));static SECRET_ASSIGNMENT_REGEX: LazyLock<Regex> = LazyLock::new(|| {    compile_regex(r#"(?i)\b(api[_-]?key|token|secret|password)\b(\s*[:=]\s*)(["']?)[^\s"']{8,}"#)});/// Remove secret and keys from a String. This is done on best effort basis following some/// well-known REGEX.pub fn redact_secrets(input: String) -> String {    let redacted = OPENAI_KEY_REGEX.replace_all(&input, "[REDACTED_SECRET]");    let redacted = AWS_ACCESS_KEY_ID_REGEX.replace_all(&redacted, "[REDACTED_SECRET]");    let redacted = BEARER_TOKEN_REGEX.replace_all(&redacted, "Bearer [REDACTED_SECRET]");    let redacted = SECRET_ASSIGNMENT_REGEX.replace_all(&redacted, "$1$2$3[REDACTED_SECRET]");    redacted.to_string()}fn compile_regex(pattern: &str) -> Regex {    match Regex::new(pattern) {        Ok(regex) => regex,        // Panic is ok thanks to `load_regex` test.        Err(err) => panic!("invalid regex pattern `{pattern}`: {err}"),    }}#[cfg(test)]mod tests {    use super::*;    #[test]    fn load_regex() {        // The goal of this test is just to compile all the regex to prevent the panic        let _ = redact_secrets("secret".to_string());    }}