security(cli): sanitize API keys from error messages, fix video SDK noise

yeldarby · claude · yeldarby · commit 183d0d4c1cfc · 2026-04-02T11:12:07.000-05:00
1. Add _sanitize_credentials() to _output.py that strips api_key values
   from URLs in error messages before displaying to the user. This prevents
   API keys from leaking in --json error output, logs, and terminal
   history. Applied to ALL error paths through output_error().

2. Fix video infer handler to use suppress_sdk_output() — was leaking
   "loading Roboflow workspace..." to stdout in --json mode.

Before: {"error": {"message": "...?api_key=tVO5PbdMtkaS5VP92xM7&amp;..."}}
After:  {"error": {"message": "...?api_key=***&amp;..."}}

405 tests pass, all linting clean.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/roboflow/cli/_output.py b/roboflow/cli/_output.py
@@ -36,6 +36,13 @@ def output(args: Any, data: Any, text: Optional[str] = None) -> None:
         print(json.dumps(data, indent=2, default=str))
 
 
+def _sanitize_credentials(text: str) -> str:
+    """Strip API keys from URLs and other sensitive patterns in error messages."""
+    import re
+
+    return re.sub(r"api_key=[A-Za-z0-9_]+", "api_key=***", text)
+
+
 def _parse_error_message(raw: str) -> tuple[Optional[dict[str, Any]], str]:
     """Try to parse a raw error string that may contain embedded JSON.
 
@@ -44,7 +51,7 @@ def _parse_error_message(raw: str) -> tuple[Optional[dict[str, Any]], str]:
     otherwise ``None``.  The *human_readable_message* drills into nested
     ``error.message`` structures so the text-mode output is clean.
     """
-    text = raw.strip()
+    text = _sanitize_credentials(raw.strip())
     # Strip status-code prefix like "404: {...}"
     colon_idx = text.find(": {")
     if 0 < colon_idx < 5:
@@ -60,7 +67,7 @@ def _parse_error_message(raw: str) -> tuple[Optional[dict[str, Any]], str]:
             return parsed, human
     except (json.JSONDecodeError, TypeError, ValueError):
         pass
-    return None, raw
+    return None, text  # Return sanitized text, not the original raw
 
 
 def output_error(
diff --git a/roboflow/cli/handlers/video.py b/roboflow/cli/handlers/video.py
@@ -41,16 +41,19 @@ def _video_infer(args: argparse.Namespace) -> None:
         return
 
     try:
-        rf = roboflow.Roboflow(api_key)
-        project = rf.workspace().project(args.project)
-        version = project.version(args.version_number)
-        model = version.model
-
-        job_id, _signed_url, _expire_time = model.predict_video(
-            args.video_file,
-            args.fps,
-            prediction_type="batch-video",
-        )
+        from roboflow.cli._output import suppress_sdk_output
+
+        with suppress_sdk_output():
+            rf = roboflow.Roboflow(api_key)
+            project = rf.workspace().project(args.project)
+            version = project.version(args.version_number)
+            model = version.model
+
+            job_id, _signed_url, _expire_time = model.predict_video(
+                args.video_file,
+                args.fps,
+                prediction_type="batch-video",
+            )
     except Exception as exc:
         output_error(args, str(exc))
         return
