opdotenv 1.0.0 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 484498d0c2471d83e66fd42819feef80da6432e79c2166ceb15b1ece037b2046
-  data.tar.gz: fce7dbd63416abb37af84c4bdf78792d1172fa1bea972d467f7a871ca1d58e12
+  metadata.gz: ab16f9144c5c1ce14ba72552fb42fabdfa649be3fd30888cf9778cb85a107dca
+  data.tar.gz: 93da9bbea0c621726e3d9df051efeeb1dc3e9647653d11cb28501aa1bda3f901
 SHA512:
-  metadata.gz: 319700ee96600edbb66bc90db27dadb07cfe269cc0f10570b582ae349f8f6234ff29a5950590a57763450c48a95ab1fcd3925bf0d929a1604d2e15a5cc335b11
-  data.tar.gz: 351b895887435dabeb2dec23884d741f192a16aa3c26be083490ff9a7be8189b06d03d8c8f0e7e3373a875d3d8edda5aabc620e5b2a157f05390293fb5cfbaf9
+  metadata.gz: 82046c290a5d56508f7c51b49481d8c0442d41093da3a8fac56edc65361a58070ec629d8c3d52c866bab1fff93f7f04c953b54ef5cf999222f94f1b050aeca36
+  data.tar.gz: d8f041eaf6f2f309b9c2a5f7fda1dc50b5295c7d54f51c7897d1f96410a5667cc9b6a3a1ff700e06b8b05944cc8797ce88b9b0dc43d684ff927a042629161120

data/CHANGELOG.md

@@ -1,5 +1,20 @@
 # CHANGELOG
 
+## 1.0.2 (2025-11-05)
+
+- Enhance error handling and security measures across the codebase
+- Improved error logging to avoid leaking sensitive information (uses exception class names instead of messages)
+- Enhanced API error handling with generic messages for server errors to prevent sensitive data exposure
+- Updated CLI output to clarify that secrets may be displayed intentionally for command-line usage
+- Update Rails appraisals: remove support for Rails 6.0, 7.0, 7.1, 8.0; maintain support for Rails 6.1, 7.2, 8.1
+
+## 1.0.1 (2025-11-05)
+
+- Add configurable op CLI path support
+- Support for `OP_CLI_PATH` and `OPDOTENV_CLI_PATH` environment variables
+- Rails configuration option `config.opdotenv.cli_path`
+- Direct API support via `OpClient.new(cli_path: ...)` and `ClientFactory.create(cli_path: ...)`
+
 ## 1.0.0 (2025-11-04)
 
 - Initial stable release

data/README.md

@@ -1,11 +1,15 @@
 # opdotenv
 
-[![Gem Version](https://badge.fury.io/rb/opdotenv.svg)](https://badge.fury.io/rb/opdotenv) [![Test Status](https://github.com/amkisko/opdotenv/actions/workflows/ci.yml/badge.svg)](https://github.com/amkisko/opdotenv/actions/workflows/ci.yml) [![codecov](https://codecov.io/gh/amkisko/opdotenv/graph/badge.svg?token=YOUR_TOKEN)](https://codecov.io/gh/amkisko/opdotenv/graph/badge.svg?token=YOUR_TOKEN)
+[![Gem Version](https://badge.fury.io/rb/opdotenv.svg?v=1.0.2)](https://badge.fury.io/rb/opdotenv) [![Test Status](https://github.com/amkisko/opdotenv.rb/actions/workflows/ci.yml/badge.svg)](https://github.com/amkisko/opdotenv.rb/actions/workflows/ci.yml) [![codecov](https://codecov.io/gh/amkisko/opdotenv.rb/graph/badge.svg?token=U4FMVZGO8R)](https://codecov.io/gh/amkisko/opdotenv.rb)
 
 Load environment variables from 1Password using the `op` CLI or 1Password Connect Server API. Supports dotenv, JSON, and YAML formats.
 
 Sponsored by [Kisko Labs](https://www.kiskolabs.com).
 
+<a href="https://www.kiskolabs.com">
+  <img src="kisko.svg" width="200" alt="Sponsored by Kisko Labs" />
+</a>
+
 ## Installation
 
 Add to your Gemfile:
@@ -18,6 +22,8 @@ gem "opdotenv"
 
 Choose one:
 - **1Password CLI** (`op`) - must be installed and authenticated (`op signin`)
+  - By default, `op` is expected to be in your `PATH`
+  - You can configure a custom path via `OP_CLI_PATH` or `OPDOTENV_CLI_PATH` environment variables, or via Rails config (see below)
 - **1Password Connect Server** - set `OP_CONNECT_URL` and `OP_CONNECT_TOKEN` environment variables
 
 Ruby 2.7+ supported.
@@ -56,6 +62,22 @@ Rails.application.configure do
 end
 ```
 
+### Configure op CLI path
+
+If your `op` CLI command is not in your `PATH` or you want to use a custom path:
+
+```ruby
+Rails.application.configure do
+  config.opdotenv.cli_path = "/usr/local/bin/op"
+end
+```
+
+Alternatively, you can set the `OP_CLI_PATH` or `OPDOTENV_CLI_PATH` environment variable:
+
+```bash
+export OP_CLI_PATH=/usr/local/bin/op
+```
+
 ### Disable automatic loading
 
 ```ruby

data/bin/opdotenv

@@ -15,6 +15,8 @@ when "read"
   end.parse!(ARGV)
   abort("--path required") unless path
   data = Opdotenv::Loader.load(path)
+  # Note: This CLI intentionally outputs secrets to stdout for CLI usage
+  # This is expected behavior for the command-line tool
   puts Opdotenv::Exporter.serialize_by_format(data, :dotenv)
 when "export"
   path = file = nil

data/lib/opdotenv/anyway_loader.rb

@@ -118,8 +118,8 @@ begin
 rescue => e
   # Only warn if debugging is enabled, as this is expected when Anyway Config isn't used
   if ENV["OPDOTENV_DEBUG"] == "true"
-    warn "[opdotenv] Failed to register Anyway loader: #{e.message}"
-    warn "[opdotenv] Error details: #{e.class}: #{e.message}"
+    # Avoid leaking exception messages
+    warn "[opdotenv] Failed to register Anyway loader: #{e.class}"
     warn "[opdotenv] Backtrace: #{e.backtrace.first(3).join("\n")}" if e.backtrace
   end
 end

data/lib/opdotenv/client_factory.rb

@@ -2,7 +2,7 @@ module Opdotenv
   class ClientFactory
     # Creates appropriate client based on configuration or environment
     # Supports both op CLI and Connect API
-    def self.create(env: ENV)
+    def self.create(env: ENV, cli_path: nil)
       # Check for Connect API configuration
       connect_url = env["OP_CONNECT_URL"] || env["OPDOTENV_CONNECT_URL"]
       connect_token = env["OP_CONNECT_TOKEN"] || env["OPDOTENV_CONNECT_TOKEN"]
@@ -10,7 +10,7 @@ module Opdotenv
       if connect_url && connect_token
         ConnectApiClient.new(base_url: connect_url, access_token: connect_token, env: env)
       else
-        OpClient.new(env: env)
+        OpClient.new(env: env, cli_path: cli_path)
       end
     end
   end

data/lib/opdotenv/connect_api_client.rb

@@ -261,17 +261,24 @@ module Opdotenv
       when 404
         raise ConnectApiError, "Not found: #{path}"
       when 500..599
-        raise ConnectApiError, "API error (#{code}): #{extract_error_message(response)}"
+        raise ConnectApiError, "API error (#{code}): Server error"
       else
-        raise ConnectApiError, "API error (#{code}): #{extract_error_message(response)}"
+        # Extract safe error message without leaking response body
+        safe_message = extract_safe_error_message(response)
+        raise ConnectApiError, "API error (#{code}): #{safe_message}"
       end
     end
 
-    def extract_error_message(response)
+    def extract_safe_error_message(response)
+      # Only extract structured error messages from JSON responses
+      # Never include raw response body to avoid leaking secrets
+
       parsed = JSON.parse(response.body)
-      parsed["message"] || parsed["error"] || response.body
+      # Only return known safe fields that are typically error messages
+      parsed["message"] || parsed["error"] || "Request failed"
     rescue JSON::ParserError
-      response.body
+      # For non-JSON responses, return generic message to avoid leaking body
+      "Request failed"
     end
 
     def validate_url(url)

data/lib/opdotenv/op_client.rb

@@ -8,18 +8,19 @@ module Opdotenv
     SECURE_NOTE_CATEGORY = "secure-note"
     LOGIN_CATEGORY = "LOGIN"
 
-    def initialize(env: ENV)
+    def initialize(env: ENV, cli_path: nil)
       @env = env
+      @cli_path = cli_path || env["OP_CLI_PATH"] || env["OPDOTENV_CLI_PATH"] || "op"
     end
 
     def read(path)
       validate_path(path)
-      out = capture(["op", "read", path])
+      out = capture([@cli_path, "read", path])
       out.strip
     end
 
     def item_get(item, vault: nil)
-      args = ["op", "item", "get", item, "--format", "json"]
+      args = [@cli_path, "item", "get", item, "--format", "json"]
       args += ["--vault", vault] if vault
       capture(args)
     end
@@ -28,7 +29,7 @@ module Opdotenv
       # Create a Secure Note with given title and notesPlain
       # Use shell escaping to prevent injection
       args = [
-        "op", "item", "create",
+        @cli_path, "item", "create",
         "--category", SECURE_NOTE_CATEGORY,
         "--title", title,
         "--vault", vault,
@@ -43,10 +44,10 @@ module Opdotenv
         fields.each do |k, v|
           # Use shell escaping to prevent injection
           field_arg = "#{k}=#{v}"
-          capture(["op", "item", "edit", item, "--vault", vault, "--set", field_arg])
+          capture([@cli_path, "item", "edit", item, "--vault", vault, "--set", field_arg])
         end
       else
-        args = ["op", "item", "create", "--title", item, "--vault", vault]
+        args = [@cli_path, "item", "create", "--title", item, "--vault", vault]
         fields.each do |k, v|
           args += ["--set", "#{k}=#{v}"]
         end
@@ -57,7 +58,7 @@ module Opdotenv
     private
 
     def item_exists?(item, vault: nil)
-      args = ["op", "item", "get", item]
+      args = [@cli_path, "item", "get", item]
       args += ["--vault", vault] if vault
       system(*args, out: File::NULL, err: File::NULL)
     end
@@ -87,7 +88,13 @@ module Opdotenv
         end
       end
 
-      raise OpError, out if status.nil? || !status.success?
+      if status.nil? || !status.success?
+        # Never leak command output in error messages for security
+        # Extract safe error information without exposing secrets
+        exit_code = status&.exitstatus || "unknown"
+        command_name = args.first || "op"
+        raise OpError, "Command failed: #{command_name} (exit code: #{exit_code})"
+      end
       out
     end
   end

data/lib/opdotenv/railtie.rb

@@ -10,6 +10,8 @@ module Opdotenv
     # Optional 1Password Connect settings (alternatively set via ENV)
     config.opdotenv.connect_url = nil
     config.opdotenv.connect_token = nil
+    # Optional op CLI path (defaults to "op", can also be set via OP_CLI_PATH or OPDOTENV_CLI_PATH env vars)
+    config.opdotenv.cli_path = nil
     config.opdotenv.overwrite = true
     config.opdotenv.auto_load = true
 
@@ -25,6 +27,11 @@ module Opdotenv
         ENV["OP_CONNECT_TOKEN"] = config.connect_token
       end
 
+      # Set op CLI path from Rails configuration if provided
+      if config.cli_path
+        ENV["OPDOTENV_CLI_PATH"] = config.cli_path
+      end
+
       # Load from configured sources
       # Sources can be strings (simplified format) or hashes (backward compatibility)
       (config.sources || []).each do |source|
@@ -47,7 +54,9 @@ module Opdotenv
           )
         rescue => e
           # Only log errors, not warnings, to avoid noise in production
-          Rails.logger&.error("Opdotenv: Failed to load #{parsed[:path]}: #{e.message}")
+          # Never log exception messages that might contain secrets from command output
+          # Use exception class name instead of message for security
+          Rails.logger&.error("Opdotenv: Failed to load #{parsed[:path]}: #{e.class.name}")
         end
       end
     end

data/lib/opdotenv/version.rb

@@ -1,3 +1,3 @@
 module Opdotenv
-  VERSION = "1.0.0"
+  VERSION = "1.0.2"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: opdotenv
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.2
 platform: ruby
 authors:
 - amkisko
@@ -169,6 +169,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: anyway_config
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: Read environment variables from 1Password fields (dotenv/json/yaml format)
   or all fields using the op CLI or 1Password Connect Server API. Export local .env
   files back to 1Password.