fix(security): Add API key masking in exceptions

Open colesmcintosh opened this issue 8 months ago • 1 comments

Title

fix(security): Add API key masking in exceptions

Relevant issues

https://github.com/BerriAI/litellm/issues/9007

Pre-Submission checklist

[x] I have Added testing in the tests/litellm/ directory, Adding at least 1 test is a hard requirement - Created tests/test_exceptions_masking.py with tests for API key masking
[x] I have added a screenshot of my new test passing locally - Tests pass successfully
[x] My PR passes all unit tests on (make test-unit)[https://docs.litellm.ai/docs/extras/contributing_code]
[x] My PR's scope is as isolated as possible, it only solves 1 specific problem

Type

🐛 Bug Fix

Changes

This PR adds API key masking functionality to all exception messages in litellm to prevent accidental exposure of sensitive data like API keys in error messages and logs.

Changes include:

Import SensitiveDataMasker utility from litellm.litellm_core_utils.sensitive_data_masker
Implement a _mask_message helper function in exceptions.py that uses regex patterns to detect and mask sensitive information like API keys
Apply the masking function to all exception types
Add comprehensive regex patterns for various API key formats (OpenAI, AWS, Azure, etc.)
Add unit tests to verify the masking functionality

The implementation uses regex patterns to identify sensitive data in exception messages and masks them with the original prefixes and suffixes visible, but the middle portion replaced with asterisks.