Merge commit from fork

Mask values of subcommand option arguments

Author: sdruskat

CHANGELOG.md

@@ -31,6 +31,10 @@ and this project tries to adhere to [Semantic Versioning](https://semver.org/spe
 
 - Update poetry to more recent version. (#347)
 
+### Security
+
+- Patch raw logging of '-O' values that could have included arbitrary secrets. (https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23)
+
 ## [0.9.0] - 2025-02-26
 
 ### Added

src/hermes/commands/cli.py

@@ -16,6 +16,7 @@
                              HermesHarvestCommand, HermesProcessCommand, HermesCurateCommand,
                              HermesDepositCommand, HermesPostprocessCommand, HermesInitCommand)
 from hermes.commands.base import HermesCommand
+from hermes.utils import mask_options_values
 
 
 def main() -> None:
@@ -63,7 +64,7 @@ def main() -> None:
 
     logger.init_logging()
     log = logger.getLogger("hermes.cli")
-    log.debug("Running hermes with the following command line arguments: %s", args)
+    log.debug("Running hermes with the following command line arguments: %s", mask_options_values(args))
 
     try:
         log.debug("Loading settings...")

src/hermes/utils.py

@@ -8,6 +8,7 @@
 from importlib.metadata import metadata
 from mimetypes import guess_type
 from pathlib import Path
+import argparse
 
 
 def retrieve_project_urls(metadata_urls: list[str]) -> dict[str, str]:
@@ -80,3 +81,25 @@ def guess_file_type(path: Path):
 
     # use non-strict mode to cover more file types
     return guess_type(path, strict=False)
+
+def mask_options_values(args: argparse.Namespace) -> argparse.Namespace:
+    """Masks potentially sensitive values in the 'options' argument
+    in the passed argparse.Namespace.
+
+    The main use case for this is preventing potentially sensitive
+    data/secrets being included in raw args logging.
+
+    :param args: The argparse.Namespace to mask.
+    :return: A copy of the namespace with masked sensitive values.
+    """
+    import copy
+
+    masked_args = copy.copy(args)
+
+    # Mask the values for 'options' if they exist
+    if hasattr(masked_args, "options") and masked_args.options:
+        masked_args.options = [
+            (key, "***REDACTED***") for key, value in masked_args.options
+        ]
+
+    return masked_args

test/hermes_test/test_utils.py

@@ -5,6 +5,7 @@
 
 import toml
 from pathlib import Path
+from argparse import Namespace
 
 pyproject = toml.load(Path(__file__).parent.parent.parent / "pyproject.toml")
 expected_name = pyproject["project"]["name"]
@@ -22,3 +23,8 @@ def test_hermes_user_agent():
     assert (
         hermes_user_agent == f"{expected_name}/{expected_version} ({expected_homepage})"
     )
+
+def test_mask_values_options():
+    from hermes.utils import mask_options_values
+    ns = Namespace(foo="bar", options=[("foo", "bar"), ("bar", "foo")])
+    assert mask_options_values(ns) == Namespace(foo="bar", options=[("foo", "***REDACTED***"), ("bar", "***REDACTED***")])