Secret redaction by variable/key name.

warpdotdev / Warp

Warp is a modern, Rust-based terminal with AI built in so you and your team can build great software, faster.

https://warp.dev

Other

21.4k stars 375 forks source link

Secret redaction by variable/key name. #3636

Open nedhanks opened 1 year ago

nedhanks commented 1 year ago

Discord username (optional)

ned_hanks

Describe the solution you'd like?

Ability to redact secrets based on variable or key name.
Ex: AWS_SECRET_ACCESS_KEY=***************************
The AWS_SECRET_ACCESS_KEY does follow a pattern that regex can be used to redact. Giving the ability to redact based on a variable or key name will be helpful.

Is your feature request related to a problem? Please describe.

I do a lot of demos' and presentations that are recorded. I try to be careful to not show secrets, passwords, tokens, etc. But, sometimes they will show. My team developed a cli that our developers/engineers use and we do redact these fields based on the variable name.

Additional context

No response

How important is this feature to you?

Warp Internal (ignore) - linear-label:770f6576-d6c0-4e4f-a259-fc64b5156087

None

elviskahoro commented 1 year ago

@nedhanks Thanks for sharing this feedback (where the rubber meets the road). Will mention this to the team.

dannyneira commented 1 year ago

Thanks for submitting @nedhanks. We do have secret redation for certain keys listed in our docs: https://docs.warp.dev/features/secret-redaction#secret-regex-list

To anyone else interested in this feature, please add a :+1: to the original post at the top to signal that you want this feature, and subscribe if you'd like to be notified.

As a possible stopgap for your feature, you can try and add the regex pattern for your preferred keys in Warp > Settings > Privacy.

CleanShot 2023-09-11 at 17 54 28

nedhanks commented 1 year ago

I know, but this only works if the 'value' matches. There are many times where there value will not match. Another example is database connections where username and password are in the value. Or URLs with username:password in the value.

I have set a custom regex for aws_secret_access_key, but this redacts the whole line, not just the value.

An option is to use regex parens/fields. ex: AWS_SECRET_ACCESS_KEY=(.*). Then redact whatever is in the parens.

alokedesai commented 1 year ago

@nedhanks Really appreciate you filing this issue. I'd love to better understand why regexes don't work for your use case and why it's redacting the whole line.

Is the secret a single word? If so, could you use a regex like AWS_SECRET_ACCESS_KEY=\w+ to solve this?

nedhanks commented 1 year ago

Example extra regex:

AWSPROFILE=([A-Za-z0-9-]+)

$ env | grep AWS
*****************************
AWS_REGION=us-west-2

So warp redacts the whole line/regex, not just the matched part.

doga commented 10 months ago

Another way of formulating this issue:

In the following text, how do I hide the token value but not the token name: TOKEN=patcc3456ou3456oiu3456 ?
If I omit the token name from the regex (i.e. patcc[a-zA-Z0-9.]+) then how do I remember what my custom regex was for?

Possible solutions:

If the regex contains parentheses (i.e. TOKEN=(patcc[a-zA-Z0-9.]+)) then only hide the regions matched by those (i.e. TOKEN=*************). Optionally allow the hidden text to be replaced by some user-defined text (i.e. TOKEN=🔑).
Allow the users to name the custom regexes.

kameshsampath commented 7 months ago

In one of my scenarios I am trying similar one like QUAYIO_PASSWORD=(.*) and when I did echo $QUAYIO_PASSWORD I see the secret is still not masked.

mikenerone commented 3 weeks ago

In #5393 I've suggested a more generalized and flexible approach that would cover these use cases.