programs: sane-secrets-dump: don't leak secrets onto proc/cmdline

pkgs/additional/sane-scripts/src/sane-secrets-dump

@@ -2,12 +2,31 @@
 #!nix-shell -i bash -p gnugrep -p oath-toolkit -p sops
 # use: `sane-dump-secret /path/to/accounts/website.yaml`
 # dumps relevant information about the account, include a OTP code if present
-secrets=$(sops -d --output-type dotenv $1)
-function get_value() {
-	echo "$secrets" | grep "^$1=" | cut -d '=' -f 2-
-}
-echo username: $(get_value username)
-echo password: $(get_value password)
-totp=$(get_value totp-b32)
-[[ -z "$totp" ]] || echo totp: $(oathtool -b --totp $totp)
+#
+# N.B.: avoid leaking secrets into cmdline args, where they're globally visible via /proc/$PID/cmdline!
+# `echo "$str" | something-else` manages to avoid this, but only if using the shell's builtin echo
+# so e.g. `echo`ing the variable in a subshell might leak it.
+
+# TODO: probably a way to parse this into a native bash dictionary
+#       instead of doing repeat greps
+secrets=$(sops -d --output-type dotenv $1)
+
+has_value() {
+  echo "$secrets" | grep -q "^$1="
+}
+
+print_value() {
+  echo "$secrets" | grep "^$1=" | cut -d '=' -f 2-
+}
+print_value_with_header() {
+  echo -n "$1: "
+  print_value "$1"
+}
+
+print_value_with_header "username"
+print_value_with_header "password"
+if has_value "totp-b32"; then
+  echo -n "totp: "
+  print_value "totp-b32" | oathtool -b -
+fi