bric3
commented
1 year ago Just thinking about this : can the secret leak, e.g. via logs ?
Closed chadselph closed 1 year ago
bric3
commented
1 year ago Just thinking about this : can the secret leak, e.g. via logs ?
shyim
commented
1 year ago I think op cli isn't secure as you can watch for /proc processes and read their environment variables out
chadselph
commented
1 year ago The op run helper might be better if you're concerned about the logging security vector. It will mask the password value from stdout if it is printed.
But regardless of where you're sourcing a secret from, your app shouldn't be logging it. I don't see this feature adding any new threats in that sense.
bric3
commented
1 year ago @chadselph I was thinking more about IntelliJ logging, i.e. if they log the command line they might log the resolved macro ?
chadselph
commented
7 months ago @bric3 yes that is correct when you're using the macro to resolve a command line argument. For me, this isn't really different, since I was just passing passwords directly into those fields before but it may be worth calling out if it can be explained clearly and succinctly.
Add a new macro for Run Configs and External Tools.
Basically you can pass
$1Passsword(op://path-to-secret)into several of the fields when running an applications, such as VM options or command line arguments.This is my first attempt at Kotlin, so I might have gotten some things wrong, I just tried to copy existing patterns in the code.