mobile-dev-inc
All `envs` are saved into `commands-*.json` which can leak secrets
Is there an existing issue for this?
- [x] I have searched the existing issues and didn't find mine.
Steps to reproduce
export TEST_PASSWORD=secret-value
maestro test \
-e USERNAME=$TEST_USERNAME \
-e PASSWORD=$TEST_PASSWORD \
--debug-output maestro-logs \
--flatten-debug-output \
.maestro/
Actual results
Observe that all commands-*.json contain the password value.
(Related code outputting the file https://github.com/mobile-dev-inc/Maestro/blob/e7e1d36c79b1528318f2f277eba5d33a716d7b56/maestro-cli/src/main/java/maestro/cli/report/TestDebugReporter.kt#L90)
Expected results
All commands-*.json contain redacted information about the password (****).
I would expect common names like token, pass, secret to be redacted by default. Or the Maestro CLI would provide -s, --secret option to pass secrets instead of -e, --env.
About app
The application is RN, I can share an min repro example if, needed, but I believe the issue is not related to the app.
About environment
Based on my knowledge the issue happens unrelated to the environment.
Logs
Logs
<!-- Replace this line with your logs. *DO NOT* remove the backticks! -->
Maestro version
1.40.3
How did you install Maestro?
other (please specify in the text area below)
Anything else?
Installed via GH action -> dniHze/maestro-test-action@bda8a93211c86d0a05b7a4597c5ad134566fbde4
![linear[bot] avatar](https://avatars.githubusercontent.com/in/20150?v=4 "Published by a pub.dev verified publisher"){kind=small}
The same information is also in the maestro.log, which is logged elsewhere.
Maestro doesn't have secret management or obfuscation. A few people have mentioned it (although not as many as I'd expect) but nobody's volunteered a PR to solve it yet.
