Skip to content

jgogstad/passwordless-history

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Passwordless ZSH history

This ZSH plugin masks secrets in your ZSH history

Example:

❯ curl -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5c' https://example.com
❯ curl -u foo:bar https://example.com
❯ curl https://foo:bar@example.com
❯ AWS_SECRET_ACCESS_KEY=key aws s3 ls s3://example
❯ export DB_PASSWORD=foo
❯ history | tail
 1  curl -H 'Authorization: ...' https://example.com > /dev/null
 2  curl -u ... https://example.com > /dev/null
 3  curl https://...@example.com > /dev/null
 4  AWS_SECRET_ACCESS_KEY=... aws s3 ls s3://example
 5  export DB_PASSWORD=...

ZSH will let you recover the previous command with secrets immediately after execution:

> curl http://username:password@github.com/foo
> # <up-arrow> recovers command with password immediately after execution
> # <up-arrow> recovers masked command here

To exclude any command from history, prefix with a space. It behaves the same as above:

>  echo "prefixed with space"
> # available here on <up-arrow>
> # Not available here 

Control what secrets are catched by setting the environment variable HISTORY_EXCLUDE_PATTERN. If the pattern includes a single group, that group is substituted with .... The default HISTORY_EXCLUDE_PATTERN is

echo $HISTORY_EXCLUDE_PATTERN
^ |//([^/]+:[^/]+)@|KEY[=:] *([^ ]+)|TOKEN[=:] *([^ ]+)|BEARER[=:] *([^ ]+)|PASSWO?R?D?[=:] *([^ ]+)|Authorization[=:] *([^'\"]+)|-us?e?r? ([^:]+:[^:]+) 

it is not case sensitive

Installation

Using Plain zsh

Download passwordless-history.plugin.zsh, then add to .zshrc

source /path/to/passwordless-history.plugin.zsh

Using Antibody

antibody bundle jgogstad/passwordless-history

Using ZInit

Add the following to .zshrc

zinit light jgogstad/passwordless-history

Using ZPlug

Add the following to .zshrc

zplug 'jgogstad/passwordless-history'

Customization

Overwrite HISTORY_EXCLUDE_PATTERN to customize:

export HISTORY_EXCLUDE_PATTERN="^ykchalresp|$HISTORY_EXCLUDE_PATTERN"

The pattern is a regex and it's evaluated with zsh's =~ operator using case insensitive evaluation.

About

Keep passwords out of your ZSH history

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages