From ed0ae46c379c256ef8354db53fc6a8cb44511faf Mon Sep 17 00:00:00 2001
From: Masen Furer <m_github@0x26.net>
Date: Mon, 9 Dec 2024 17:07:40 -0800
Subject: [PATCH] Redact sensitive env vars instead of hiding them

---
 reflex/config.py | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/reflex/config.py b/reflex/config.py
index 50748347a..c40abcb39 100644
--- a/reflex/config.py
+++ b/reflex/config.py
@@ -572,7 +572,7 @@ environment = EnvironmentVariables()
 
 
 # These vars are not logged because they may contain sensitive information.
-_sensitive_env_vars = {"DB_URL", "ASYNC_DB_URL"}
+_sensitive_env_vars = {"DB_URL", "ASYNC_DB_URL", "REDIS_URL"}
 
 
 class Config(Base):
@@ -758,18 +758,20 @@ class Config(Base):
 
             # If the env var is set, override the config value.
             if env_var is not None:
-                if key.upper() not in _sensitive_env_vars:
-                    console.info(
-                        f"Overriding config value {key} with env var {key.upper()}={env_var}",
-                        dedupe=True,
-                    )
-
                 # Interpret the value.
                 value = interpret_env_var_value(env_var, field.outer_type_, field.name)
 
                 # Set the value.
                 updated_values[key] = value
 
+                if key.upper() in _sensitive_env_vars:
+                    env_var = "***"
+
+                console.info(
+                    f"Overriding config value {key} with env var {key.upper()}={env_var}",
+                    dedupe=True,
+                )
+
         return updated_values
 
     def get_event_namespace(self) -> str: