Redact secrets when logging config and warn user when changing categories (#19966)

Closes #19465
Summary of the issue:

Secrets stored in NVDA config are often unintentionally logged in debug mode by NVDA
Description of user facing changes:

logging will attempt to redact secrets when the developer decides to sanitise risky log messages.
Added a new log level: secrets, to disable redactions for required debug logging.
Added a warning whenever selecting a log level below info.
Description of developer facing changes:

A new redactSecrets parameter for logging, which searches for and replaces secrets in the log message.
Description of development approach:

Use Yelp/detect-secrets

This pull request introduces secret redaction support in logging, ensuring that sensitive information is masked in log outputs when requested.
A new log level is added so you can view unredacted logs if needed.

Secret Redaction in Logging

    Added a redactSecrets parameter to the Logger._log method in logHandler.py that, when enabled, uses the detect-secrets library to scan and mask detected secrets in log messages.
    Updated logging calls in source/config/__init__.py to use redactSecrets=True when logging potentially sensitive configuration data.
    Updated the developer documentation to describe the new redactSecrets parameter and recommend its use for sensitive data.

Dependency and Packaging Support

    Added detect-secrets as a dependency in pyproject.toml and ensured all relevant submodules are included in frozen builds for dynamic plugin loading
    Include multiprocessing in bundle - needed for import, seems to functionally work?

Author: seanbudd

pyproject.toml

@@ -55,6 +55,8 @@ dependencies = [
 	# pinned due to incompatibility with py2exe
 	# https://github.com/py2exe/py2exe/issues/241
 	"charset-normalizer==3.4.4",
+	# secret scanning for logging
+	"detect-secrets==1.5.0",
 ]
 
 [project.urls]

source/argsParsing.py

@@ -1,8 +1,7 @@
-# -*- coding: UTF-8 -*-
 # A part of NonVisual Desktop Access (NVDA)
-# Copyright (C) 2024 NV Access Limited, Cyrille Bougot
-# This file is covered by the GNU General Public License.
-# See the file COPYING for more details.
+# Copyright (C) 2024-2026 NV Access Limited, Cyrille Bougot
+# This file may be used under the terms of the GNU General Public License, version 2 or later, as modified by the NVDA license.
+# For full terms and any additional permissions, see the NVDA license file: https://github.com/nvaccess/nvda/blob/master/copying.txt
 
 import argparse
 import sys
@@ -108,8 +107,8 @@ def _createNVDAArgParser() -> NoConsoleOptionParser:
 		dest="logLevel",
 		type=int,
 		default=0,  # 0 means unspecified in command line.
-		choices=[10, 12, 15, 20, 100],
-		help="The lowest level of message logged (debug 10, input/output 12, debugwarning 15, info 20, off 100).\n"
+		choices=[5, 10, 12, 15, 20, 100],
+		help="The lowest level of message logged (secrets 5, debug 10, input/output 12, debugwarning 15, info 20, off 100).\n"
 		"Default value is 20 (info) or the user configured setting.\n"
 		"Logging is always disabled if secure mode is enabled.\n",
 	)

source/config/__init__.py

@@ -624,13 +624,14 @@ def _loadConfig(self, fn: str | None, fileError: bool = False) -> ConfigObj:
 		except Exception as e:
 			if self._shouldLogConfigAtStartup(profileCopy):
 				# We must log at info level here as the logHandler hasn't been set to log at debug level yet.
-				log.info(f"Config before schema update:\n{profileCopy}")
+				log.info(f"Config before schema update:\n{profileCopy}", redactSecrets=True)
 			raise e
 
 		if self._shouldLogConfigAtStartup(profile):
 			# We must log at info level here as the logHandler hasn't been set to log at debug level yet.
 			log.info(
 				f"Config loaded (after upgrade, and in the state it will be used by NVDA):\n{profile}",
+				redactSecrets=True,
 			)
 		return profile
 

source/config/configFlags.py

@@ -1,7 +1,7 @@
 # A part of NonVisual Desktop Access (NVDA)
 # Copyright (C) 2022-2026 NV Access Limited, Cyrille Bougot, Cary-rowen
-# This file is covered by the GNU General Public License.
-# See the file COPYING for more details.
+# This file may be used under the terms of the GNU General Public License, version 2 or later, as modified by the NVDA license.
+# For full terms and any additional permissions, see the NVDA license file: https://github.com/nvaccess/nvda/blob/master/copying.txt
 
 """Flags used to define the possible values for an option in the configuration.
 Use Flag.MEMBER.value to set a new value or compare with an option in the config;
@@ -421,6 +421,7 @@ class LoggingLevel(DisplayStringIntEnum):
 	DEBUGWARNING = Logger.DEBUGWARNING
 	IO = Logger.IO
 	DEBUG = Logger.DEBUG
+	SECRETS = Logger.SECRETS
 
 	@property
 	def _displayStringLabels(self) -> dict[int, str]:
@@ -435,6 +436,8 @@ def _displayStringLabels(self) -> dict[int, str]:
 			self.IO: _("input/output"),
 			# Translators: One of the log levels of NVDA (the debug mode shows debug messages as NVDA runs).
 			self.DEBUG: _("debug"),
+			# Translators: One of the log levels of NVDA (the secrets mode logs debug messages without redacting secrets).
+			self.SECRETS: _("secrets"),
 		}
 
 

source/config/configSpec.py

@@ -2,8 +2,8 @@
 # Copyright (C) 2006-2026 NV Access Limited, Babbage B.V., Davy Kager, Bill Dengler, Julien Cochuyt,
 # Joseph Lee, Dawid Pieper, mltony, Bram Duvigneau, Cyrille Bougot, Rob Meredith,
 # Burman's Computer and Education Ltd., Leonard de Ruijter, Łukasz Golonka, Cary-rowen, Kefas Lungu
-# This file is covered by the GNU General Public License.
-# See the file COPYING for more details.
+# This file may be used under the terms of the GNU General Public License, version 2 or later, as modified by the NVDA license.
+# For full terms and any additional permissions, see the NVDA license file: https://github.com/nvaccess/nvda/blob/master/copying.txt
 
 from io import StringIO
 from configobj import ConfigObj
@@ -24,7 +24,7 @@
 	saveConfigurationOnExit = boolean(default=True)
 	askToExit = boolean(default=true)
 	playStartAndExitSounds = boolean(default=true)
-	#possible log levels are DEBUG, IO, DEBUGWARNING, INFO
+	# possible log levels are SECRETS, DEBUG, IO, DEBUGWARNING, INFO and OFF
 	loggingLevel = string(default="INFO")
 	showWelcomeDialogAtStartup = boolean(default=true)
 	preventDisplayTurningOff = boolean(default=true)

source/gui/settingsDialogs.py

@@ -7,8 +7,8 @@
 # Takuya Nishimoto, jakubl7545, Tony Malykh, Rob Meredith,
 # Burman's Computer and Education Ltd, hwf1324, Cary-rowen, Christopher Proß, Tianze
 # Neil Soiffer, Ryan McCleary, Kefas Lungu.
-# This file is covered by the GNU General Public License.
-# See the file COPYING for more details.
+# This file may be used under the terms of the GNU General Public License, version 2 or later, as modified by the NVDA license.
+# For full terms and any additional permissions, see the NVDA license file: https://github.com/nvaccess/nvda/blob/master/copying.txt
 
 import bisect
 import copy
@@ -85,6 +85,7 @@
 
 import gui
 import gui.contextHelp
+import gui.message
 import screenCurtain
 import api
 import ui
@@ -6187,6 +6188,47 @@ class PrivacyAndSecuritySettingsPanel(SettingsPanel):
 	title = _("Privacy and Security")
 	helpId = "PrivacyAndSecuritySettings"
 
+	def _getSelectedLogLevel(self) -> LoggingLevel:
+		selection = self._logLevelCombo.GetSelection()
+		if selection == wx.NOT_FOUND:
+			return LoggingLevel[config.conf["general"]["loggingLevel"]]
+		return list(LoggingLevel)[selection]
+
+	def _confirmLogLevelChange(self, selectedLogLevel: LoggingLevel) -> bool:
+		if selectedLogLevel == LoggingLevel.SECRETS:
+			message = _(
+				# Translators: Warning shown when enabling the secrets log level from NVDA settings.
+				"Setting the logging level to secrets will write sensitive information to the log without redaction, "
+				"including passwords, API keys, or other private data. "
+				"Only enable this temporarily if you explicitly need unredacted diagnostic logs. "
+				"Do you want to continue?",
+			)
+			caption = _(
+				# Translators: Title of the warning dialog shown when enabling the secrets log level.
+				"High risk logging level",
+			)
+		else:
+			message = _(
+				# Translators: Warning shown when enabling a logging level above info from NVDA settings.
+				"Setting the logging level above info may record sensitive information such as typed input, "
+				"speech output, or other private data in the log. "
+				"Only enable higher logging levels temporarily while troubleshooting. "
+				"Do you want to continue?",
+			)
+			caption = _(
+				# Translators: Title of the warning dialog shown when enabling a risky logging level.
+				"Warning",
+			)
+		dialog = gui.message.MessageDialog(
+			parent=self,
+			message=message,
+			title=caption,
+			dialogType=gui.message.DialogType.WARNING,
+			buttons=gui.message.DefaultButtonSet.YES_NO,
+			helpId="GeneralSettingsLogLevel",
+		)
+		return dialog.ShowModal() == gui.message.ReturnCode.YES
+
 	def makeSettings(self, sizer: wx.BoxSizer):
 		sHelper = guiHelper.BoxSizerHelper(self, sizer=sizer)
 
@@ -6265,6 +6307,7 @@ def makeSettings(self, sizer: wx.BoxSizer):
 			)
 		except StopIteration:
 			log.debugWarning("Could not set log level list to current log level")
+		self._savedLogLevel = self._getSelectedLogLevel()
 
 		self._allowUsageStatsCheckBox: wx.CheckBox = generalGroup.addItem(
 			# Translators: The label of a checkbox in privacy and security settings to toggle allowing of usage stats gathering
@@ -6301,10 +6344,14 @@ def onSave(self):
 		)
 
 		if not logHandler.isLogLevelForced():
-			config.conf["general"]["loggingLevel"] = logging.getLevelName(
-				list(LoggingLevel)[self._logLevelCombo.GetSelection()],
+			selectedLogLevel = self._getSelectedLogLevel()
+			updateLogLevel = selectedLogLevel != self._savedLogLevel and (
+				selectedLogLevel >= LoggingLevel.INFO or self._confirmLogLevelChange(selectedLogLevel)
 			)
-			logHandler.setLogLevelFromConfig()
+			if updateLogLevel:
+				config.conf["general"]["loggingLevel"] = logging.getLevelName(selectedLogLevel)
+				logHandler.setLogLevelFromConfig()
+				self._savedLogLevel = selectedLogLevel
 
 		if updateCheck:
 			config.conf["update"]["allowUsageStats"] = self._allowUsageStatsCheckBox.IsChecked()

source/logHandler.py

@@ -1,8 +1,8 @@
 # A part of NonVisual Desktop Access (NVDA)
 # Copyright (C) 2007-2026 NV Access Limited, Rui Batista, Joseph Lee, Leonard de Ruijter, Babbage B.V.,
 # Accessolutions, Julien Cochuyt, Cyrille Bougot, Łukasz Golonka
-# This file is covered by the GNU General Public License.
-# See the file COPYING for more details.
+# This file may be used under the terms of the GNU General Public License, version 2 or later, as modified by the NVDA license.
+# For full terms and any additional permissions, see the NVDA license file: https://github.com/nvaccess/nvda/blob/master/copying.txt
 
 """Utilities and classes to manage logging in NVDA"""
 
@@ -21,6 +21,7 @@
 import winKernel
 import buildVersion
 from typing import (
+	Any,
 	Literal,
 	NamedTuple,
 	Protocol,
@@ -31,6 +32,7 @@
 import NVDAState
 from NVDAState import WritePaths
 
+
 if TYPE_CHECKING:
 	import extensionPoints
 
@@ -222,6 +224,7 @@ class Logger(logging.Logger):
 	from logging import DEBUG, INFO, WARNING, WARN, ERROR, CRITICAL
 
 	# Our custom levels.
+	SECRETS = 5
 	IO = 12
 	DEBUGWARNING = 15
 	OFF = 100
@@ -233,15 +236,30 @@ class Logger(logging.Logger):
 
 	def _log(
 		self,
-		level,
-		msg,
-		args,
-		exc_info=None,
-		extra=None,
-		codepath=None,
-		activateLogViewer=False,
-		stack_info=None,
-	):
+		level: int,
+		msg: str,
+		args: tuple[Any, ...],
+		exc_info: _excInfo_t | bool | BaseException = None,
+		extra: dict | None = None,
+		codepath: str | None = None,
+		activateLogViewer: bool = False,
+		stack_info: list[traceback.FrameSummary] | bool | None = None,
+		redactSecrets: bool = False,
+	) -> Any:
+		"""Logs a message with the given severity level.
+
+		:param level: The severity level of the log message.
+		:param msg: The log message, which may contain format specifiers that will be replaced by the values in `args`.
+		:param args: The arguments to be merged into `msg` using the `%` operator for string formatting.
+		:param exc_info: Exception information to be logged
+		:param extra: Additional information to be logged
+		:param codepath: The code path where the log was generated
+		:param activateLogViewer: Whether to activate the log viewer
+		:param stack_info: Stack information to be logged
+		:param redactSecrets: Whether to check for and redact secrets in the log message
+		:return: The result of the logging operation (None for builtin handlers).
+		"""
+
 		if not extra:
 			extra = {}
 
@@ -273,7 +291,26 @@ def _log(
 				"".join(traceback.format_list(stack_info)).rstrip(),
 			)
 
-		res = super()._log(level, msg, args, exc_info, extra)
+		if redactSecrets and self.getEffectiveLevel() < self.SECRETS:
+			from detect_secrets.core.scan import scan_line
+			from detect_secrets.settings import default_settings
+
+			try:
+				formattedMsg = msg % args if args else msg
+			except Exception:
+				formattedMsg = msg
+				self.exception(
+					"Failed to format log message for secret redaction, logging unredacted exception.",
+				)
+
+			with default_settings():
+				for secret in list(scan_line(formattedMsg)):
+					formattedMsg = formattedMsg.replace(secret.secret_value, "****")
+
+			res = super()._log(level, formattedMsg, (), exc_info, extra)
+
+		else:
+			res = super()._log(level, msg, args, exc_info, extra)
 
 		if activateLogViewer:
 			# Make the log text we just wrote appear in the log viewer.
@@ -583,6 +620,7 @@ def initialize(shouldDoRemoteLogging=False):
 	@type shouldDoRemoteLogging: bool
 	"""
 	global log, logHandler
+	logging.addLevelName(Logger.SECRETS, "SECRETS")
 	logging.addLevelName(Logger.DEBUGWARNING, "DEBUGWARNING")
 	logging.addLevelName(Logger.IO, "IO")
 	logging.addLevelName(Logger.OFF, "OFF")
@@ -661,7 +699,7 @@ def setLogLevelFromConfig():
 	level = logging.getLevelNamesMapping().get(levelName)
 	# The lone exception to level higher than INFO is "OFF" (100).
 	# Setting a log level to something other than options found in the GUI is unsupported.
-	if level is None or level not in (log.DEBUG, log.IO, log.DEBUGWARNING, log.INFO, log.OFF):
+	if level is None or level not in (log.SECRETS, log.DEBUG, log.IO, log.DEBUGWARNING, log.INFO, log.OFF):
 		log.warning("invalid setting for logging level: %s" % levelName)
 		level = log.INFO
 		config.conf["general"]["loggingLevel"] = logging.getLevelName(log.INFO)

source/setup.py

@@ -288,8 +288,6 @@ def _genManifestTemplate(shouldHaveUIAccess: bool) -> tuple[int, int, bytes]:
 			"winxptheme",
 			# numpy is an optional dependency of comtypes but we don't require it.
 			"numpy",
-			# multiprocessing isn't going to work in a frozen environment
-			"multiprocessing",
 			"concurrent.futures.process",
 			# Tomli is part of Python 3.11+ as Tomlib, but is imported as tomli by cryptography, which causes an infinite loop in py2exe
 			"tomli",
@@ -302,6 +300,16 @@ def _genManifestTemplate(shouldHaveUIAccess: bool) -> tuple[int, int, bytes]:
 			"NVDAObjects.JAB",
 			"NVDAObjects.UIA",
 			"NVDAObjects.window",
+			# detect-secrets loads plugins and filters dynamically using pkgutil/importlib,
+			# so the relevant packages must be bundled explicitly for frozen builds.
+			"detect_secrets",
+			"detect_secrets.core",
+			"detect_secrets.core.plugins",
+			"detect_secrets.filters",
+			"detect_secrets.filters.gibberish",
+			"detect_secrets.plugins",
+			"detect_secrets.transformers",
+			"detect_secrets.util",
 			"virtualBuffers",
 			"appModules",
 			"comInterfaces",