Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add doc warning about shell history logging for commands that accept credentials
See original GitHub issue- I have searched the issues of this repo and believe that this is not a duplicate.
- I have searched the documentation and believe that my question is not covered.
Feature Request
I think to make sure private keys/password are secured, we should remove poetry config commands that have any sensitive information from the terminal history (or replace sensitive information with stars?):
$ poetry config http-basic.mypi __token__ azpAEkFPOK5pokErkPOFd
$ history | grep "poetry config http-basic"
poetry config http-basic.mypi __token__ azpAEkFPOK5pokErkPOFd
Expected behaviour would be to have:
$ poetry config http-basic.mypi __token__ azpAEkFPOK5pokErkPOFd
$ history | grep "poetry config http-basic"
poetry config http-basic.mypi __token__ azp***********Fd
It seems like a bit of work to make that work in every situation, but on the other hand its probably relatively easy for the most common use cases (bash/zsh/fish). Did anyone worked on that yet?
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (1 by maintainers)
Top Results From Across the Web
How to enable command line audit logging in linux | Confluence
To record all commands entered into the shell in a linux environment to a log file. This can be useful for auditing user...
Read more >Tampering of Bash Command-Line History - Elastic
Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations. Rule type: eql....
Read more >Troubleshooting AWS CLI errors - AWS Command Line Interface
Diagnose and fix common AWS Command Line Interface (AWS CLI) errors. ... You can enable the AWS CLI command history logs using the...
Read more >login - Command | Vault - HashiCorp Developer
The "login" command authenticates users or machines to Vault using the provided arguments. A successful authentication results in a Vault token ...
Read more >Unsecured Credentials: Bash History, Sub-technique T1552.003
bash_history file, including use of the following commands: set +o history and set -o history to start logging again; unset HISTFILE being added...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
We should just add a warning about this risk in the documentation alongside examples talking about configuring secrets. Maybe update the title and description as such.
In theory it is a good idea. In practice that seems quite complicated, if not impossible. But…
1. If I remember right, a good trick to know for such cases (at least in bash) is to prefix the command with an empty space so that it is not added to the history.
2. If you omit the value, then it is prompted interactively, and thus the actual token is not added to the history.