Copying a secret environment variable when it is hidden copies the underlying JSON object

[mtaylorfsmb]

Is there an existing issue for this?

• [X] I have searched the tracker for existing similar issues and I know that duplicates will be closed

Describe the Issue

In an Environment we have some variables defined that are secret (clientId/clientSecret). These show up masked when viewing in the UX. If you copy the secret value and paste it you get the underlying JSON data (which includes the secret value). This is a twofold problem.

1. Even though the UX doesn't show the value I can still copy and paste it anywhere (including notepad) to get the value. I understand not showing the value is more of a minor attempt to prevent someone from looking over your shoulder but...
2. If you copy/paste the value from, say, current value to initial value then it is going to paste in the wrong value which means you still need to unhide it to get the correct value.

Steps To Reproduce

1. Open any environment
2. Add a secret variable and set the current value to something
3. Ensure the value is hidden
4. Copy the value and then paste it into the initial value
5. Show the hidden values

I believe the correct approach, if you're just trying to protect from over the shoulder copies, is to simply copy the actual value. If you are trying to be more secure then you probably shouldn't be able to copy values that are hidden at all. But make this obvious since copy/paste that doesn't do anything is hard to recognize in the UI.

Screenshots or Videos

No response

Operating System

Windows

Postman Version

11.4.0

Postman Platform

Postman App

User Account Type

Signed In User

Additional Context?

No response

[giridharvc7]

Thank you for reporting the issue. We'll look into it and get back to you once we have a fix. Meanwhile, I want to take this opportunity to introduce Postman vault, a secure storage system for all your secrets - you can learn more about Postman vault here