Skip to content
This repository was archived by the owner on Jun 5, 2025. It is now read-only.

Add an output pipeline that deobfuscated secrets #162

Merged
merged 6 commits into from
Dec 3, 2024
Merged

Add an output pipeline that deobfuscated secrets #162

merged 6 commits into from
Dec 3, 2024

Conversation

jhrozek
Copy link
Contributor

@jhrozek jhrozek commented Dec 2, 2024
edited
Loading

  • Add an output pipeline - Adds an output pipeline with its own context and a possibility to buffer in case a step tells the pipeline to not forward the chunk. The buffer is stored into in case a chunk is not evaluated which means that subsequent steps can keep on buffering potentially redacted text for un-redaction later. The remainder of the buffer is flushed upon consuming the stream.
  • Split out parts of the CodegateSecrets pipeline step into a secret manager - We'll want to decrypt secrets on the way from the LLM. For that we need to reuse parts of functionality that were so far in the secret encryption step. This commit splits them into a secrets manager.
  • Implement secret unredaction step
  • Plug in the secrets manager and output pipeline
  • Clean up the secure pipeline after the completion is concluded
  • Unit test the de-obfuscation of secrets

Fixes: #160
Related: #90

@jhrozek
Copy link
Contributor Author

jhrozek commented Dec 2, 2024

Here's how it looks in action:
Screenshot 2024-12-03 at 00 31 00

Meanwhile in codegate logs:

Protected text:


```py app.py (5-11)
@app.route('/')
def hello():
    GITHUB_TOKEN="REDACTED<$OFjLhYcNI3ZtQi/ZH/Ss422cQhrtiHGJLnxlQ6LQUGAqEfCfdOOKq0mVadEViKLPC2M9Op+3Vnj492Ax6mxM6SBn/P2A9G3ys0hGavwg5Q==>"
    if __name__ == '__main__':
        app.run()
    return "Hello, World!"

@jhrozek
Add an output pipeline
d94bfad 
Adds an output pipeline with its own context and a possibility to buffer
in case a step tells the pipeline to not forward the chunk.

The buffer is stored into in case a chunk is not evaluated which means
that subsequent steps can keep on buffering potentially redacted text
for un-redaction later.

The remainder of the buffer is flushed upon consuming the stream.
@jhrozek
Split out parts of the CodegateSecrets pipeline step into a secret ma…
f106c9e 
…nager

We'll want to decrypt secrets on the way from the LLM. For that we need
to reuse parts of functionality that were so far in the secret
encryption step.

This commit splits them into a secrets manager.
@jhrozek
Implement secret unredaction step
fc683d3
@jhrozek
Plug in the secrets manager and output pipeline
b5ff345
@jhrozek
Clean up the secure pipeline after the completion is concluded
92910c0
@jhrozek
Unit test the de-obfuscation of secrets
5ada6b4
lukehinds
lukehinds approved these changes Dec 3, 2024
View reviewed changes
Copy link

@lukehinds lukehinds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! thanks @jhrozek !

@lukehinds lukehinds merged commit c3543da into stacklok:main Dec 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
1 more reviewer

@lukehinds lukehinds lukehinds approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Deobfuscate secrets in a new output pipeline
2 participants
@jhrozek @lukehinds