Secret redaction by variable/key name.

[nedhanks]

Discord username (optional)

ned_hanks

Describe the solution you'd like?

Ability to redact secrets based on variable or key name.
Ex: AWS_SECRET_ACCESS_KEY=***************************
The AWS_SECRET_ACCESS_KEY does follow a pattern that regex can be used to redact. Giving the ability to redact based on a variable or key name will be helpful.

Is your feature request related to a problem? Please describe.

I do a lot of demos' and presentations that are recorded. I try to be careful to not show secrets, passwords, tokens, etc. But, sometimes they will show. My team developed a cli that our developers/engineers use and we do redact these fields based on the variable name.

Additional context

No response

How important is this feature to you?

3

Warp Internal (ignore) - linear-label:770f6576-d6c0-4e4f-a259-fc64b5156087

None

[elviskahoro]

@nedhanks Thanks for sharing this feedback (where the rubber meets the road). Will mention this to the team.

[dannyneira]

Thanks for submitting @nedhanks. We do have secret redation for certain keys listed in our docs: https://docs.warp.dev/features/secret-redaction#secret-regex-list

To anyone else interested in this feature, please add a :+1: to the original post at the top to signal that you want this feature, and subscribe if you'd like to be notified.

As a possible stopgap for your feature, you can try and add the regex pattern for your preferred keys in Warp > Settings > Privacy.

[nedhanks]

I know, but this only works if the 'value' matches. There are many times where there value will not match. Another example is database connections where username and password are in the value. Or URLs with username:password in the value.

I have set a custom regex for aws_secret_access_key, but this redacts the whole line, not just the value.

An option is to use regex parens/fields. ex: AWS_SECRET_ACCESS_KEY=(.*). Then redact whatever is in the parens.

[alokedesai]

@nedhanks Really appreciate you filing this issue. I'd love to better understand why regexes don't work for your use case and why it's redacting the whole line.

Is the secret a single word? If so, could you use a regex like AWS_SECRET_ACCESS_KEY=\w+ to solve this?

[nedhanks]

Example extra regex:

AWSPROFILE=([A-Za-z0-9-]+)

$ env | grep AWS
*****************************
AWS_REGION=us-west-2

So warp redacts the whole line/regex, not just the matched part.

[doga]

Another way of formulating this issue:

1. In the following text, how do I hide the token value but not the token name: TOKEN=patcc3456ou3456oiu3456 ?
2. If I omit the token name from the regex (i.e. patcc[a-zA-Z0-9.]+) then how do I remember what my custom regex was for?

Possible solutions:

1. If the regex contains parentheses (i.e. TOKEN=(patcc[a-zA-Z0-9.]+)) then only hide the regions matched by those (i.e. TOKEN=*************). Optionally allow the hidden text to be replaced by some user-defined text (i.e. TOKEN=🔑).

2. Allow the users to name the custom regexes.

[kameshsampath]

In one of my scenarios I am trying similar one like QUAYIO_PASSWORD=(.*) and when I did echo $QUAYIO_PASSWORD I see the secret is still not masked.

[mikenerone]

In #5393 I've suggested a more generalized and flexible approach that would cover these use cases.