Warp icon indicating copy to clipboard operation
Warp copied to clipboard
verified publisher icon warpdotdev

Secret redaction by variable/key name.

Open nedhanks opened this issue 2 years ago • 8 comments

Discord username (optional)

ned_hanks

Describe the solution you'd like?

Ability to redact secrets based on variable or key name.
Ex: AWS_SECRET_ACCESS_KEY=***************************
The AWS_SECRET_ACCESS_KEY does follow a pattern that regex can be used to redact. Giving the ability to redact based on a variable or key name will be helpful.

Is your feature request related to a problem? Please describe.

I do a lot of demos' and presentations that are recorded. I try to be careful to not show secrets, passwords, tokens, etc. But, sometimes they will show. My team developed a cli that our developers/engineers use and we do redact these fields based on the variable name.

Additional context

No response

How important is this feature to you?

3

Warp Internal (ignore) - linear-label:770f6576-d6c0-4e4f-a259-fc64b5156087

None

nedhanks avatar Sep 05 '23 15:09 nedhanks

@nedhanks Thanks for sharing this feedback (where the rubber meets the road). Will mention this to the team.

elviskahoro avatar Sep 08 '23 19:09 elviskahoro

Thanks for submitting @nedhanks. We do have secret redation for certain keys listed in our docs: https://docs.warp.dev/features/secret-redaction#secret-regex-list

To anyone else interested in this feature, please add a :+1: to the original post at the top to signal that you want this feature, and subscribe if you'd like to be notified.

As a possible stopgap for your feature, you can try and add the regex pattern for your preferred keys in Warp > Settings > Privacy.

CleanShot 2023-09-11 at 17 54 28

dannyneira avatar Sep 11 '23 23:09 dannyneira

I know, but this only works if the 'value' matches. There are many times where there value will not match. Another example is database connections where username and password are in the value. Or URLs with username:password in the value.

I have set a custom regex for aws_secret_access_key, but this redacts the whole line, not just the value.

An option is to use regex parens/fields. ex: AWS_SECRET_ACCESS_KEY=(.*). Then redact whatever is in the parens.

nedhanks avatar Sep 12 '23 02:09 nedhanks

@nedhanks Really appreciate you filing this issue. I'd love to better understand why regexes don't work for your use case and why it's redacting the whole line.

Is the secret a single word? If so, could you use a regex like AWS_SECRET_ACCESS_KEY=\w+ to solve this?

alokedesai avatar Sep 12 '23 20:09 alokedesai

Example extra regex:

AWS_PROFILE=([A-Za-z0-9_-]+)

$ env | grep AWS
*****************************
AWS_REGION=us-west-2

So warp redacts the whole line/regex, not just the matched part.

nedhanks avatar Sep 13 '23 01:09 nedhanks

Another way of formulating this issue:

  1. In the following text, how do I hide the token value but not the token name: TOKEN=patcc3456ou3456oiu3456 ?
  2. If I omit the token name from the regex (i.e. patcc[a-zA-Z0-9.]+) then how do I remember what my custom regex was for?

Possible solutions:

  1. If the regex contains parentheses (i.e. TOKEN=(patcc[a-zA-Z0-9.]+)) then only hide the regions matched by those (i.e. TOKEN=*************). Optionally allow the hidden text to be replaced by some user-defined text (i.e. TOKEN=🔑).

  2. Allow the users to name the custom regexes.

doga avatar Jan 13 '24 12:01 doga

In one of my scenarios I am trying similar one like QUAYIO_PASSWORD=(.*) and when I did echo $QUAYIO_PASSWORD I see the secret is still not masked.

kameshsampath avatar Apr 02 '24 16:04 kameshsampath

In #5393 I've suggested a more generalized and flexible approach that would cover these use cases.

mikenerone avatar Oct 18 '24 13:10 mikenerone