-
-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret values are exposed in tasks #1862
Comments
Thanks for reporting this problem, @stoney95! 🙏 This is an interesting observation, and I like your suggested solution 2. This would be similar to how, e.g., GitLab CI redacts the values of masked CI variables in the CI job log. The main challenge seems to be distinguishing a secret value from another substring in the task's stdout/stderr that coincides with the the secret value. |
@sisp, thanks for reacting so quickly! Does this also mean that there is currently no way built into copier to handle secrets? |
If you mean "redact secrets in stdout/stderr", then Copier has no built-in way to handle it right now. In contrast to a regular question, the answer of a secret question is not recorded in the answers file (typically |
Thanks for pointing out current behavior of a secret question. This is also clearly documented 👍 My question is rather how answers to secret questions are currently supposed to be accessed? The only way I can currently imagine is to use |
That's correct, secret values are accessed like any other values. Why do you think this is suboptimal? When you render a Git-ignored file with a secret value, it is not printed or versioned. When you use it as a CLI flag value in a task, then indeed it is not redacted, which I think we should try to fix. Another approach to "handling" secret values might be assigning them to environment variables passed to tasks such that either a task program uses the environment variable internally or it is used to pass a CLI flag value: _tasks:
- command: "python my_script.py --password $PASSWORD"
env: # or `environment` since we tend to avoid abbreviations
PASSWORD: "{{ password }}" This syntax is inspired by Task's environment variables. A downside of this approach is that the use of environment variables has different syntax on Unix and Windows. Is this a feature you'd like Copier to offer? |
Have you considered rendering the secrets into a git-ignored file and then using that file in your script? Example:
This way, your secrets are stored securely in a file that is not tracked by git, and your script can safely read them without exposing them in the terminal. |
Describe the problem
I want to install dependencies when creating a project from a copier template. The dependencies are hosted on a private pypi mirror. Credentials are required to install dependencies from there. I run the installation via a python script. But we could also assume that we want to set an environment variable etc.
So, in the template I ask for the username and password. I mark the password as
secret
. I did not find any proper documentation of how to use this password securely.In the documentation for
tasks
the template variables are inserted via{{ var_name }}
. Using this exposes the secret variable.Template
To Reproduce
copier copy --trust
with the template from aboveWith this the password is exposed in the terminal
Logs
No response
Expected behavior
There a multiple options:
Running task 1 of 1
.Running task 1 of 1: python my_script.py --username=user --password=***
I prefer option 2, but am also happy with any other option
Screenshots/screencasts/logs
No response
Operating system
Windows
Operating system distribution and version
Windows 11
Copier version
9.4.1
Python version
3.11
Installation method
pip+pypi
Additional context
No response
The text was updated successfully, but these errors were encountered: