cloak.nvim icon indicating copy to clipboard operation
cloak.nvim copied to clipboard
verified publisher icon laytan

Opening a file directly from the command line and pasting in insert mode briefly flash the non-cloaked values

Open ph1losof opened this issue 10 months ago • 3 comments

Hi, I have noticed a few bugs when using cloak.nvim which lead to leaking sensitive values, this is critical since a lot of online content can be played back in time.

Opening files directly

When opening a file directly using neovim filename there is a brief flash of unmasked values

https://github.com/user-attachments/assets/6bed7bba-8218-4a7c-a33f-717e993b68d1

Pasting content inside insert mode

When trying to copy-paste content in insert mode as for example using cmd+v, there is brief flash of unmasked value

https://github.com/user-attachments/assets/1a787d4d-c912-4fdd-b1cb-c8cc3c5d5db6

You can take a look at the implementation from my plugin - ecolog.nvim, It can be used as a nearly drop-in replacement for cloak.nvim for masking sensitive data, it provides all-in-one toolkit to work with environment variables and .env files. You can take a look at the comparisons table

ph1losof avatar Feb 19 '25 21:02 ph1losof

There are some parts of code which can be useful for fixing them both:

This provides more aggressive approach for handling buffer read event fixes issue number 1

That overrides paste command and fixes issue 2

ph1losof avatar Feb 19 '25 23:02 ph1losof

This should definitely be fixed, patches are welcome.

laytan avatar Mar 05 '25 17:03 laytan

Ok, I may even contribute via pr to fixing it

ph1losof avatar Mar 05 '25 20:03 ph1losof