bruno
bruno copied to clipboard
Published
20 hours ago •
usebruno
usebruno
Bruno UI and CLI Reporters can expose secret variables
I have checked the following:
- [X] I've searched existing issues and found nothing related to my issue.
Describe the feature you want to add
The shown example is the Bearer Auth example from the testbench repo, but I've marked the bearer_auth_token as private. The UI still shows the token in the timelime tab. Same for the json export, that you can generate using the cli --format json option. This can expose your secrets if you are live-sharing your screen, share a screenshot or the exported report without manually hiding it. So I suggest, after the request is finished, check the whole output, including every header (request and response), response data, assertion/script output, etc..., for exact (or case-insensitive?) matches and replace them with something else, like a fixed number of asteriks or the variable name.
...
"headers": {
"check": "again",
"Authorization": "Bearer your_secret_token",
"content-type": "application/json"
}
...
Mockups or Images of the feature
...
"headers": {
"check": "again",
"Authorization": "Bearer {{bearer_auth_token}}",
"content-type": "application/json"
}
...
