Description
Critical: In tools/env/env.go, when isSecret() returns true for a variable, the code correctly sets Redacted: "true" but still assigns the full plaintext value to the Value field. Since Value string \xml:"value,attr"`` is marshaled into the XML output, the actual secret is exposed in the output.
Steps to Reproduce
export API_KEY=supersecret123
aict env --xml | grep API_KEY
Output (current — wrong):
<var name="API_KEY" value="supersecret123" redacted="true" .../>
Expected Behavior
<var name="API_KEY" value="[REDACTED]" redacted="true" .../>
Fix
In tools/env/env.go, when appending to result.Variables, set Value: "[REDACTED]" (or empty string) when isSecret is true.
Severity
High — this defeats the purpose of the secret detection feature entirely.
Description
Critical: In
tools/env/env.go, whenisSecret()returns true for a variable, the code correctly setsRedacted: "true"but still assigns the full plaintext value to theValuefield. SinceValue string \xml:"value,attr"`` is marshaled into the XML output, the actual secret is exposed in the output.Steps to Reproduce
Output (current — wrong):
Expected Behavior
Fix
In
tools/env/env.go, when appending toresult.Variables, setValue: "[REDACTED]"(or empty string) whenisSecretis true.Severity
High — this defeats the purpose of the secret detection feature entirely.