nixpkgs/pkgs/build-support/replace-secret/replace-secret.py
talyz 27f8f6956a
replace-secret: Init
Add a small utility script which securely replaces secrets in
files. Doing this with `sed`, `replace-literal` or similar utilities
leaks the secrets through the spawned process' `/proc/<pid>/cmdline` file.
2021-05-19 09:32:00 +02:00

29 lines
900 B
Python
Executable File

#!/usr/bin/env python
import argparse
from argparse import RawDescriptionHelpFormatter
description = """
Replace a string in one file with a secret from a second file.
Since the secret is read from a file, it won't be leaked through
'/proc/<pid>/cmdline', unlike when 'sed' or 'replace' is used.
"""
parser = argparse.ArgumentParser(
description=description,
formatter_class=RawDescriptionHelpFormatter
)
parser.add_argument("string_to_replace", help="the string to replace")
parser.add_argument("secret_file", help="the file containing the secret")
parser.add_argument("file", help="the file to perform the replacement on")
args = parser.parse_args()
with open(args.secret_file) as sf, open(args.file, 'r+') as f:
old = f.read()
secret = sf.read().strip("\n")
new_content = old.replace(args.string_to_replace, secret)
f.seek(0)
f.write(new_content)
f.truncate()