programs: sane-secrets-dump: don't leak secrets onto proc/cmdline
This commit is contained in:
parent
5a0760a571
commit
c0f374bd80
|
@ -2,12 +2,31 @@
|
|||
#!nix-shell -i bash -p gnugrep -p oath-toolkit -p sops
|
||||
# use: `sane-dump-secret /path/to/accounts/website.yaml`
|
||||
# dumps relevant information about the account, include a OTP code if present
|
||||
secrets=$(sops -d --output-type dotenv $1)
|
||||
function get_value() {
|
||||
echo "$secrets" | grep "^$1=" | cut -d '=' -f 2-
|
||||
}
|
||||
echo username: $(get_value username)
|
||||
echo password: $(get_value password)
|
||||
totp=$(get_value totp-b32)
|
||||
[[ -z "$totp" ]] || echo totp: $(oathtool -b --totp $totp)
|
||||
#
|
||||
# N.B.: avoid leaking secrets into cmdline args, where they're globally visible via /proc/$PID/cmdline!
|
||||
# `echo "$str" | something-else` manages to avoid this, but only if using the shell's builtin echo
|
||||
# so e.g. `echo`ing the variable in a subshell might leak it.
|
||||
|
||||
# TODO: probably a way to parse this into a native bash dictionary
|
||||
# instead of doing repeat greps
|
||||
secrets=$(sops -d --output-type dotenv $1)
|
||||
|
||||
has_value() {
|
||||
echo "$secrets" | grep -q "^$1="
|
||||
}
|
||||
|
||||
print_value() {
|
||||
echo "$secrets" | grep "^$1=" | cut -d '=' -f 2-
|
||||
}
|
||||
print_value_with_header() {
|
||||
echo -n "$1: "
|
||||
print_value "$1"
|
||||
}
|
||||
|
||||
print_value_with_header "username"
|
||||
print_value_with_header "password"
|
||||
if has_value "totp-b32"; then
|
||||
echo -n "totp: "
|
||||
print_value "totp-b32" | oathtool -b -
|
||||
fi
|
||||
|
||||
|
|
Loading…
Reference in New Issue