UNPKG

redact-env

Version:

Redact values of critical environment variables in a string

github.com/47ng/redact-env

47ng/redact-env

116 lines (79 loc) 3.29 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
<h1 align="center">🔒👀 <code>redact-env</code></h1> <div align="center"> [![NPM](https://img.shields.io/npm/v/redact-env?color=red)](https://www.npmjs.com/package/redact-env) [![MIT License](https://img.shields.io/github/license/47ng/redact-env.svg?color=blue)](https://github.com/47ng/redact-env/blob/next/LICENSE) [![CI/CD](https://github.com/47ng/redact-env/workflows/CI%2FCD/badge.svg?branch=next)](https://github.com/47ng/redact-env/actions) [![Coverage Status](https://coveralls.io/repos/github/47ng/redact-env/badge.svg?branch=next)](https://coveralls.io/github/47ng/redact-env?branch=next) </div> <p align="center"> Redact values of critical environment variables in a string. </p> ## ⚠️ Disclaimer This library might not do exactly what you want it to. As for anything related to security, read the [caveats](#caveats), check out the [source code](./src/index.ts) and the [tests](./src/index.test.ts) before using it in production. ## Installation ```shell $ yarn add redact-env # or $ npm i redact-env ``` ## Usage ```ts import * as redactEnv from 'redact-env' const secrets = redactEnv.build(['SECRET_ENV_VAR', 'MY_API_KEY']) const unsafeString = ` ${process.env.SECRET_ENV_VAR} Oh no, the secrets are leaking ! ${process.env.MY_API_KEY} ` console.log('unsafe:', unsafeString) const safeString = redactEnv.redact(unsafeString, secrets) console.log('safe:', safeString) ``` ``` unsafe: QfKcO7cjGoxnLg/28/E7meEu2QaS/wNtFB7wlz+hDZA= Oh no, the secrets are leaking ! d9fd627cfd3d6cb597e8faeb2ef0e4583af924aee047125479b2438ee2a18b67 safe: [secure] Oh no, the secrets are leaking ! [secure] ``` ## Caveats ### Un-redacted values `redact-env` will **NOT** redact the following environment variable values: - `"true"` - `"false"` - `"null"` This is because these string-encoded JSON values are not specific to a single environment variable, and redacting all the booleans and nulls in a string seems overzealous. This is opinionated for a particular usage. ### Parsed numbers in JSON object `redact-env` **WILL** redact numbers in environment variable values, which will pose a problem if you parse them and dump them as numbers in a JSON object: ```ts import * as redactEnv from 'redact-env' process.env.PIN = '1234' const secrets = redactEnv.build(['PIN'], process.env) const pin: number = parseInt(process.env.PIN) const unsafe = JSON.stringify({ pin }) console.log(unsafe) // {"pin":1234} => valid JSON const safeButIncorrect = redactEnv.redact(unsafe, secrets) console.log(safeButIncorrect) // {"pin":[secure]} => not valid JSON ``` ### Windows paths in JSON objects Because of backslash-delimited paths in Windows and string escaping occurring in `JSON.stringify`, Windows paths in environment variables won't be redacted if present in JSON strings. In a future release, we might consider detecting the presence of backslashes in the environment variable value and having two regexp for this secret (one for the plain value and one backslashed-escaped). ## License [MIT](https://github.com/47ng/redact-env/blob/master/LICENSE) - Made with ❤️ by [François Best](https://francoisbest.com) Using this package at work ? [Sponsor me](https://github.com/sponsors/franky47) to help with support and maintenance.