dotenv-vscode icon indicating copy to clipboard operation
dotenv-vscode copied to clipboard
verified publisher icon dotenv-org

Cloaking feature reveals all secrets when loading a file

Open FlooferLand opened this issue 1 year ago • 2 comments

Not sure if something broke with my configuration, but this ruins the point of a cloaking feature, and I would recommend removing it if it can't be solved as it could give users a false sense of security.

gif (dont worry that Discord token isn't real) You can barely see it in the GIF because of the low framerate, but it's WAY more noticeable in a video. If someone is livestreaming on a platform like Twitch, someone could easily clip and pause the video, being able to write down that secret.

It happens when switching between tabs, as well as loading a new file. It always happens; takes about 200 ms for the secrets to get cloaked. Plenty of time for them to get snatched

FlooferLand avatar Feb 09 '24 23:02 FlooferLand

unfortunately, so far, this appears to be a vscode limitation. i haven't been able to find a way around it. anyone have any ideas?

motdotla avatar Feb 12 '24 05:02 motdotla

This also happens when you alt or option + click on a file, which opens the file in a new tab group. When it opens in the new tab group, it's not focused, but all the environment variables are completely visible. Kapture 2024-02-13 at 11 28 00

ksmithut avatar Feb 13 '24 18:02 ksmithut