Last active
August 6, 2024 11:31
-
-
Save schlessera/9851022e03cd669540cb3dfc3cb37915 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/env bash | |
| # Mask sensitive key-value pairs in the output of the `env` command. | |
| # This script is intended to be used as a filter for the `env` command output. | |
| # It will replace the value of any key in the SENSITIVE_KEYS list with asterisks. | |
| # Author: Alain Schlesser | |
| # Link to the source gist: https://gist.github.com/schlessera/9851022e03cd669540cb3dfc3cb37915 | |
| # Original mention: https://x.com/schlessera/status/1820074260934566102 | |
| # Instructions for use: | |
| # 1. Save this script to a file named `mask-sensitive-key-value-pairs`. | |
| # 2. Make the script executable with `chmod +x mask-sensitive-key-value-pairs`. | |
| # 3. Add the directory where the script is saved to your PATH. (or move the script to a directory already in your PATH) | |
| # 4. Run `env | mask-sensitive-key-value-pairs` to mask sensitive key-value pairs in the output of the `env` command. | |
| # 5. Optionally, you can create an alias for the `env` command to always use this script as a filter: | |
| # `alias env='env | mask-sensitive-key-value-pairs'` | |
| # Add this alias to your shell configuration file to make it permanent. | |
| # Provide a list of name components that might denote a senstiive key-value pair. | |
| # This list is used to match the key in the key-value pair. | |
| # Add any additional keys to this list to mask them in the output. | |
| declare -a SENSITIVE_KEYS | |
| SENSITIVE_KEYS+=("KEY") # i.e. "OPENAI_API_KEY" | |
| SENSITIVE_KEYS+=("TOKEN") # i.e. "GITHUB_TOKEN" | |
| # Assemble the list of sensitive keys into a regex pattern. | |
| SENSITIVE_KEYS_PATTERN=$(IFS='|'; echo "${SENSITIVE_KEYS[*]}") | |
| # Assemble the awk script to mask sensitive key-value pairs. | |
| # The script will replace the value of any key in the SENSITIVE_KEYS list with asterisks. | |
| # The script will print the key-value pairs with the value replaced by asterisks. | |
| AWK_SCRIPT=" | |
| BEGIN { OFS = \"=\" } # Set the output field separator to '=', important for the final print statement. | |
| \$1 ~ /($SENSITIVE_KEYS_PATTERN)/ { # If the first field matches 'KEY' or 'TOKEN'... | |
| len = length(\$2) # Get the length of the second field, which is the value to replace. | |
| \$2 = sprintf(\"%*s\", len, \" \") # Replace the second field with a string of spaces of the same length. | |
| gsub(/ /, \"*\", \$2) # Replace all spaces in the second field with asterisks. | |
| } | |
| { print \$1, \$2 } # Print the first and second fields. They will be separated by the output field separator '='. | |
| " | |
| # Run the awk script with '=' as the field separator for parsing the input. | |
| # The input would typically be the output of the `env` command, but it can be applied to other similar key-value pair outputs. | |
| awk -F '=' "$AWK_SCRIPT" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@matthieutirelli-pro I was wondering about the typos in your intial alias post, with the trailing
=signs.An empty line (or similar whitespaces not sticking to the initial awk script's assumption of key-value pairs) will end up being transformed into an
=sign.The script will need to be made smarter to deal with non-env output.