hurl icon indicating copy to clipboard operation
hurl copied to clipboard
verified publisher icon Orange-OpenSource

Secrets are not redacted in HTML reports when hard-coded in source files.

Open lepapareil opened this issue 7 months ago • 3 comments

What is the current bug behavior?

I can see secrets in source files from html reports.

Steps to reproduce

Create test.hurl:

$ cat <<EOF > test.hurl
HEAD https://hurl.dev/search.html
token: token_to_redact
HTTP 200
EOF

Execute Hurl redacting token_to_redact string and creating html report :

$ hurl \
    --secret non_used_var=token_to_redact \
    --report-html report \
    --verbose \
    test.hurl \
    2> output

The token value is well redacted on output :

$ grep token output

* token: ***
* curl --head --header 'token: ***' 'https://hurl.dev/search.html'
> token: ***

The token value is well redacted on html report run pages :

$ grep -R token report/store/*run.html

...
<details open><summary>Entry 1</summary><table><thead><tr><th colspan="2">Debug</tr></th></thead><tbody><tr><td class="name">Command</td><td class="value">curl --head --header 'token: ***'
...
<td class="value">hurl.dev</td></tr><tr><td class="name">token</td><td class="value">***</td>
...

The token value remains visible in html report source files :

$ grep -R token  report/store/*source.html

<span class="line"><span class="string">token</span>: <span class="string">token_to_redact</span></span>

What is the expected correct behavior?

<span class="line"><span class="string">token</span>: <span class="string">***</span></span>

Execution context

hurl 6.1.1 (unknown) libcurl/8.12.1-DEV OpenSSL/3.0.2 zlib/1.3.1
Features (libcurl):  alt-svc AsynchDNS HSTS IPv6 libz SSL UnixSockets
Features (built-in): brotli

lepapareil avatar Jun 06 '25 08:06 lepapareil

If token_to_redact is write in plain text, cristal clear, is it a secret?

jcamiel avatar Jun 06 '25 09:06 jcamiel

From my point of view a secret hard coded in source file :

  • have to be visible from people with access to source files.
  • have to be hidden on a generated report, who can be visible by people with no access to source file

Another example, if I generate Hurl files from a Hurl template, using env vars, my commited Hurl template file will be clean, but executing such generated files will reveal my secrets on the html report.

lepapareil avatar Jun 06 '25 09:06 lepapareil

Brief recap of the live conversation with @jcamiel and @fabricereix :

  • We could maybe create an option report-html-no-source allowing to remove source files from final report
  • As a workaround, when generating my Hurl files, I have to generate variable files too, containing specific secrets of each Hurl files, and source them using hurl --variable-file ${file}.env ${file}.hurl

lepapareil avatar Jun 20 '25 08:06 lepapareil