feat: add sanitizer to redact secrets (#11600)

Adding a sanitizer crate that can redact API keys and other secret with
known pattern from a String

codex-rs/utils/sanitizer/src/lib.rs

@@ -0,0 +1,41 @@
+use regex::Regex;
+use std::sync::LazyLock;
+
+static OPENAI_KEY_REGEX: LazyLock<Regex> = LazyLock::new(|| compile_regex(r"sk-[A-Za-z0-9]{20,}"));
+static AWS_ACCESS_KEY_ID_REGEX: LazyLock<Regex> =
+    LazyLock::new(|| compile_regex(r"\bAKIA[0-9A-Z]{16}\b"));
+static BEARER_TOKEN_REGEX: LazyLock<Regex> =
+    LazyLock::new(|| compile_regex(r"(?i)\bBearer\s+[A-Za-z0-9._\-]{16,}\b"));
+static SECRET_ASSIGNMENT_REGEX: LazyLock<Regex> = LazyLock::new(|| {
+    compile_regex(r#"(?i)\b(api[_-]?key|token|secret|password)\b(\s*[:=]\s*)(["']?)[^\s"']{8,}"#)
+});
+
+/// Remove secret and keys from a String. This is done on best effort basis following some
+/// well-known REGEX.
+pub fn redact_secrets(input: String) -> String {
+    let redacted = OPENAI_KEY_REGEX.replace_all(&input, "[REDACTED_SECRET]");
+    let redacted = AWS_ACCESS_KEY_ID_REGEX.replace_all(&redacted, "[REDACTED_SECRET]");
+    let redacted = BEARER_TOKEN_REGEX.replace_all(&redacted, "Bearer [REDACTED_SECRET]");
+    let redacted = SECRET_ASSIGNMENT_REGEX.replace_all(&redacted, "$1$2$3[REDACTED_SECRET]");
+
+    redacted.to_string()
+}
+
+fn compile_regex(pattern: &str) -> Regex {
+    match Regex::new(pattern) {
+        Ok(regex) => regex,
+        // Panic is ok thanks to `load_regex` test.
+        Err(err) => panic!("invalid regex pattern `{pattern}`: {err}"),
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn load_regex() {
+        // The goal of this test is just to compile all the regex to prevent the panic
+        let _ = redact_secrets("secret".to_string());
+    }
+}