Nighttime Peanut Migrations

    redact-env
    TypeScript icon, indicating that this package has built-in type declarations

    0.3.1 • Public • Published

    🔒👀 redact-env

    NPM MIT License Travis CI Build Dependabot Status Average issue resolution time Number of open issues

    Redact values of critical environment variables in a string.

    ⚠️ Disclaimer

    This library might not do exactly what you want it to.

    As for anything related to security, read the caveats, check out the source code and the tests before using it in production.

    Installation

    $ yarn add redact-env
    # or
    $ npm i redact-env

    Usage

    import redactEnv from 'redact-env'
    
    const secrets = redactEnv.build(['SECRET_ENV_VAR', 'MY_API_KEY'])
    
    const unsafeString = `
      ${process.env.SECRET_ENV_VAR}
      Oh no, the secrets are leaking !
      ${process.env.MY_API_KEY}
    `
    console.log('unsafe:', unsafeString)
    
    const safeString = redactEnv.redact(unsafeString, secrets)
    console.log('safe:', safeString)
    unsafe:
      QfKcO7cjGoxnLg/28/E7meEu2QaS/wNtFB7wlz+hDZA=
      Oh no, the secrets are leaking !
      d9fd627cfd3d6cb597e8faeb2ef0e4583af924aee047125479b2438ee2a18b67
    
    safe:
      [secure]
      Oh no, the secrets are leaking !
      [secure]
    

    Caveats

    Un-redacted values

    redact-env will NOT redact the following environment variable values:

    • "true"
    • "false"
    • "null"

    This is because these string-encoded JSON values are not specific to a single environment variable, and redacting all the booleans and nulls in a string seems overzealous. This is opinionated for a particular usage.

    Parsed numbers in JSON object

    redact-env WILL redact numbers in environment variable values, which will pose a problem if you parse them and dump them as numbers in a JSON object:

    import redactEnv from 'redact-env'
    
    process.env.PIN = '1234'
    
    const secrets = redactEnv.build(['PIN'], process.env)
    
    const pin: number = parseInt(process.env.PIN)
    
    const unsafe = JSON.stringify({ pin })
    console.log(unsafe)
    // {"pin":1234} => valid JSON
    
    const safeButIncorrect = redactEnv.redact(unsafe, secrets)
    
    console.log(safeButIncorrect)
    // {"pin":[secure]}  => not valid JSON

    Windows paths in JSON objects

    Because of backslash-delimited paths in Windows and string escaping occurring in JSON.stringify, Windows paths in environment variables won't be redacted if present in JSON strings.

    In a future release, we might consider detecting the presence of backslashes in the environment variable value and having two regexp for this secret (one for the plain value and one backslashed-escaped).

    License

    MIT - Made with ❤️ by François Best - Donations welcome 🙏

    Install

    npm i redact-env

    DownloadsWeekly Downloads

    2,326

    Version

    0.3.1

    License

    MIT

    Unpacked Size

    9.82 kB

    Total Files

    5

    Last publish

    Collaborators

    • franky47