Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: redact secrets when logging #552

Closed
vikaspotluri123 opened this issue Nov 20, 2022 · 6 comments
Closed

Feature request: redact secrets when logging #552

vikaspotluri123 opened this issue Nov 20, 2022 · 6 comments

Comments

@vikaspotluri123
Copy link

vikaspotluri123 commented Nov 20, 2022
edited

Current Behavior

If we make a call with a secret, it will be printed to stdout.
note: I'm only including shell examples for brevity, but this applies to most zx logging 馃檪
If we wanted to go one step further, there could also be a $.redact(text: string) method

Example:

const githubUrl = 'https://api.github.com/organizations';
const githubToken = 'ghs_xxxxxxxxx';
await $`curl --silent ${githubUrl} -H "Authorization: Bearer ${githubToken}"`;

// prints:
// $ curl --silent $'https://api.github.com/organizations' -H "Authorization: Bearer ghs_xxxxxxxxx"
//                                                                                   ^ exposed!

Requested Behavior

It would be cool if we could either redact or replace secrets.

For example, with blanket redaction:

const githubUrl = 'https://api.github.com/organizations';
const githubToken = 'ghs_xxxxxxxxx';
$.secrets.push(githubToken); // Example: Blanket redaction
await $`curl --silent ${githubUrl} -H "Authorization: Bearer ${githubToken}"`;

// prints:
// $ curl --silent $'https://api.github.com/organizations' -H "Authorization: Bearer **redacted**"
//                                                                                   ^ hidden

Or with contextual redaction:

const githubUrl = 'https://api.github.com/organizations';
const githubToken = 'ghs_xxxxxxxxx';
$.secrets.githubToken = githubToken; // Example: Contextual redaction
await $`curl --silent ${githubUrl} -H "Authorization: Bearer ${githubToken}"`;

// prints:
// $ curl --silent $'https://api.github.com/organizations' -H "Authorization: Bearer **githubToken**"
//                                                                                   ^ hidden with context

Steps to Reproduce the Problem

covered in Current Behavior section

Specifications

  • Version: 7.1.1
  • Platform: Linux
@antonmedv
Copy link
Collaborator

Well, we already have such feature: use env:

$.env.GITHUB_TOKEN = 'ghs_xxxxxxxxx';
await $`curl --silent https://api.github.com/organizations -H "Authorization: Bearer $GITHUB_TOKEN"`;

@vikaspotluri123
Copy link
Author

Ahh yeah, that would work for shell commands! I'm not sure why I assumed zx would do variable interpolation instead of letting the shell handle it.

Is this something that could be expanded to other places, such as fetch requests?

@antonmedv
Copy link
Collaborator

For fetch we need to add support.

@SoulPancake
Copy link

@antonmedv Can I work on this?

@antonmedv
Copy link
Collaborator

Sure 馃憣馃徎

@wereHamster
Copy link

I can't use env variable, since the requests are sent by Octokit:

import { Octokit } from '@octokit/rest'

const octokit = new Octokit({
  auth: (await $`security find-generic-password -a github-com-personal-access-token -w`).stdout.trim(),
})

await octokit.rest.repos.createDeployment({ 鈥β爙)

somehow zx dumps outgoing http requests, including headers, to the console.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wereHamster @antonmedv @vikaspotluri123 @SoulPancake