[envvars-cli] Add option to not show envvar values when listing
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	LucasWerkmeister
	Apr 26 2024, 12:06 AM

Description

Given that envvars are often used for secrets, IMHO it would be useful to have a mode that only lists the defined variable names without their values. (I’m even tempted to say it should be the default, to be honest.) This was previously discussed in T340005, but the outcome there was to truncate the values to 50 characters, which is enough to fully “leak” many secrets (even OAuth consumer secrets for Wikimedia wikis are shorter than that).

Currently, the only way to list envvars without values is using questionable pipelines or unsupported low-level APIs (I think):

$ toolforge envvars list | awk '{ print $1 }'
$ toolforge envvars list --json | jq -r '.[] | .name'
$ kubectl get secrets

Related Objects

Mentioned Here: T362062: [Session] Toolforge & Cloud VPS demos
T340005: Don't list envvar values on the list command

Event Timeline

LucasWerkmeister created this task.Apr 26 2024, 12:06 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 26 2024, 12:06 AM

Two use-cases I have in mind:

debugging a tool with someone else who is “shoulder surfing”
publicly documenting the defined envvars (“the tool expects the following variables to be set: envvars list command + output”)

CC @Slst2020 who just ran toolforge envvars list in T362062: [Session] Toolforge & Cloud VPS demos (the only variable that was truncated at 50 characters was the Django secret key) – she said she’s gonna change the credentials afterwards, but IMHO it would’ve been better if the command hadn’t shown them to the whole room in the first place :)

In T363544#9772459, @LucasWerkmeister wrote:

CC @Slst2020 who just ran toolforge envvars list in T362062: [Session] Toolforge & Cloud VPS demos (the only variable that was truncated at 50 characters was the Django secret key) – she said she’s gonna change the credentials afterwards, but IMHO it would’ve been better if the command hadn’t shown them to the whole room in the first place :)

In this case it was intentional for demo purposes, but I agree that there is a use case for hiding the envvars when listing, perhaps as a default.

Slst2020 moved this task from Backlog to Ready to be worked on on the Toolforge board.May 6 2024, 9:32 AM

dcaro triaged this task as Medium priority.May 15 2024, 1:37 PM

Addshore subscribed.Apr 10 2025, 1:20 PM

Restricted Application added a project: cloud-services-team. · View Herald TranscriptApr 10 2025, 1:20 PM

This makes sense. it should default to hidden by default, maybe just printing out a * * * * * * * placeholder instead. If someone really wants to view the value, maybe that can be done in a show subcommand or a flag to make the values visible.

raymond-ndibe opened https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-cli/-/merge_requests/78

[envvars-cli] hide envvar if truncate true

Raymond_Ndibe changed the task status from Open to In Progress.Apr 13 2025, 5:06 AM

Raymond_Ndibe claimed this task.

Raymond_Ndibe edited projects, added Toolforge (Toolforge iteration 19); removed Toolforge.

Raymond_Ndibe moved this task from Next Up to In Review on the Toolforge (Toolforge iteration 19) board.

raymond-ndibe opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/753

[envvars-cli] test hide envvars value by default

raymond-ndibe merged https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-cli/-/merge_requests/78

[envvars-cli] hide envvar by default

raymond-ndibe opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/754

[envvars-cli] test hide envvars value by default

raymond-ndibe closed https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/753

[envvars-cli] test hide envvars value by default

raymond-ndibe merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/754

[envvars-cli] test hide envvars value by default

raymond-ndibe merged https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-cli/-/merge_requests/79

d/changelog: bump to 0.0.13

Raymond_Ndibe closed this task as Resolved.Apr 24 2025, 7:21 PM

Raymond_Ndibe moved this task from In Review to Done on the Toolforge (Toolforge iteration 19) board.

raymond-ndibe opened https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-cli/-/merge_requests/86

d/changelog: bump to 0.0.14

raymond-ndibe merged https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-cli/-/merge_requests/86

d/changelog: bump to 0.0.14

Envvars list now shows asterisks:

local.tf-test@toolslocal:~$ toolforge envvars list
name    value
TEST1   ****************
TEST2   ****************

unless --show-values is passed:

local.tf-test@toolslocal:~$ toolforge envvars list --show-values
name    value
TEST1   some value
TEST2   osnaethaoenst ontoeah nstuoahenuthoaentsuhaoentshuaonetshunsaothunsaot hunstoa unstha snuthoaesnuth aoensth

Nice, thanks!

[envvars-cli] Add option to not show envvar values when listingClosed, ResolvedPublicActions

Description

Related Objects

Event Timeline

[envvars-cli] Add option to not show envvar values when listing
Closed, ResolvedPublic
Actions