RubyGems - opdotenv - Versions diffs - 1.0.1 → 1.0.2 - Mend

opdotenv 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +8 -0
data/README.md +2 -2
data/bin/opdotenv +2 -0
data/lib/opdotenv/anyway_loader.rb +2 -2
data/lib/opdotenv/connect_api_client.rb +12 -5
data/lib/opdotenv/op_client.rb +7 -1
data/lib/opdotenv/railtie.rb +3 -1
data/lib/opdotenv/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 010e15bce13dd6d38d5c1d05871fe4a395cda0b9a68e0057045aec4f0bed6a15
-  data.tar.gz: 46bf2e43e4b2df72bf1fbb739751dc170e16262a306b6a2373f1098571e00457
+  metadata.gz: ab16f9144c5c1ce14ba72552fb42fabdfa649be3fd30888cf9778cb85a107dca
+  data.tar.gz: 93da9bbea0c621726e3d9df051efeeb1dc3e9647653d11cb28501aa1bda3f901
 SHA512:
-  metadata.gz: 9334e5fc25e01fee0fd7d9ffda74e8df98e598a6275a8ea740790e3dbabde7614eb17bc2f4afddeb37bb29ce10b65f94e63475e46e9f64552fc9699aa6309ffa
-  data.tar.gz: 57d4a520a562d583e8fff85e3d9bf3944429d3442339dbbf44e75731a5f5abad819029606179d8667627836aa730b8424eac3fe21f39ddf81060e0bf36f44e12
+  metadata.gz: 82046c290a5d56508f7c51b49481d8c0442d41093da3a8fac56edc65361a58070ec629d8c3d52c866bab1fff93f7f04c953b54ef5cf999222f94f1b050aeca36
+  data.tar.gz: d8f041eaf6f2f309b9c2a5f7fda1dc50b5295c7d54f51c7897d1f96410a5667cc9b6a3a1ff700e06b8b05944cc8797ce88b9b0dc43d684ff927a042629161120

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # CHANGELOG
+## 1.0.2 (2025-11-05)
+- Enhance error handling and security measures across the codebase
+- Improved error logging to avoid leaking sensitive information (uses exception class names instead of messages)
+- Enhanced API error handling with generic messages for server errors to prevent sensitive data exposure
+- Updated CLI output to clarify that secrets may be displayed intentionally for command-line usage
+- Update Rails appraisals: remove support for Rails 6.0, 7.0, 7.1, 8.0; maintain support for Rails 6.1, 7.2, 8.1
 ## 1.0.1 (2025-11-05)
 - Add configurable op CLI path support

data/README.md CHANGED Viewed

@@ -1,13 +1,13 @@
 # opdotenv
-[![Gem Version](https://badge.fury.io/rb/opdotenv.svg?v=1.0.0)](https://badge.fury.io/rb/opdotenv) [![Test Status](https://github.com/amkisko/opdotenv.rb/actions/workflows/ci.yml/badge.svg)](https://github.com/amkisko/opdotenv.rb/actions/workflows/ci.yml) [![codecov](https://codecov.io/gh/amkisko/opdotenv.rb/graph/badge.svg?token=U4FMVZGO8R)](https://codecov.io/gh/amkisko/opdotenv.rb)
+[![Gem Version](https://badge.fury.io/rb/opdotenv.svg?v=1.0.2)](https://badge.fury.io/rb/opdotenv) [![Test Status](https://github.com/amkisko/opdotenv.rb/actions/workflows/ci.yml/badge.svg)](https://github.com/amkisko/opdotenv.rb/actions/workflows/ci.yml) [![codecov](https://codecov.io/gh/amkisko/opdotenv.rb/graph/badge.svg?token=U4FMVZGO8R)](https://codecov.io/gh/amkisko/opdotenv.rb)
 Load environment variables from 1Password using the `op` CLI or 1Password Connect Server API. Supports dotenv, JSON, and YAML formats.
 Sponsored by [Kisko Labs](https://www.kiskolabs.com).
 <a href="https://www.kiskolabs.com">
-  <img src="https://brand.kiskolabs.com/images/logos/Kisko_Logo_Black_Horizontal-7249a361.svg" width="200" style="display: block; background: white; border-radius: 10px;" />
+  <img src="kisko.svg" width="200" alt="Sponsored by Kisko Labs" />
 </a>
 ## Installation

data/bin/opdotenv CHANGED Viewed

@@ -15,6 +15,8 @@ when "read"
   end.parse!(ARGV)
   abort("--path required") unless path
   data = Opdotenv::Loader.load(path)
+  # Note: This CLI intentionally outputs secrets to stdout for CLI usage
+  # This is expected behavior for the command-line tool
   puts Opdotenv::Exporter.serialize_by_format(data, :dotenv)
 when "export"
   path = file = nil

data/lib/opdotenv/anyway_loader.rb CHANGED Viewed

@@ -118,8 +118,8 @@ begin
 rescue => e
   # Only warn if debugging is enabled, as this is expected when Anyway Config isn't used
   if ENV["OPDOTENV_DEBUG"] == "true"
-    warn "[opdotenv] Failed to register Anyway loader: #{e.message}"
-    warn "[opdotenv] Error details: #{e.class}: #{e.message}"
+    # Avoid leaking exception messages
+    warn "[opdotenv] Failed to register Anyway loader: #{e.class}"
     warn "[opdotenv] Backtrace: #{e.backtrace.first(3).join("\n")}" if e.backtrace
   end
 end

data/lib/opdotenv/connect_api_client.rb CHANGED Viewed

@@ -261,17 +261,24 @@ module Opdotenv
       when 404
         raise ConnectApiError, "Not found: #{path}"
       when 500..599
-        raise ConnectApiError, "API error (#{code}): #{extract_error_message(response)}"
+        raise ConnectApiError, "API error (#{code}): Server error"
       else
-        raise ConnectApiError, "API error (#{code}): #{extract_error_message(response)}"
+        # Extract safe error message without leaking response body
+        safe_message = extract_safe_error_message(response)
+        raise ConnectApiError, "API error (#{code}): #{safe_message}"
       end
     end
-    def extract_error_message(response)
+    def extract_safe_error_message(response)
+      # Only extract structured error messages from JSON responses
+      # Never include raw response body to avoid leaking secrets
       parsed = JSON.parse(response.body)
-      parsed["message"] || parsed["error"] || response.body
+      # Only return known safe fields that are typically error messages
+      parsed["message"] || parsed["error"] || "Request failed"
     rescue JSON::ParserError
-      response.body
+      # For non-JSON responses, return generic message to avoid leaking body
+      "Request failed"
     end
     def validate_url(url)

data/lib/opdotenv/op_client.rb CHANGED Viewed

@@ -88,7 +88,13 @@ module Opdotenv
         end
       end
-      raise OpError, out if status.nil? || !status.success?
+      if status.nil? || !status.success?
+        # Never leak command output in error messages for security
+        # Extract safe error information without exposing secrets
+        exit_code = status&.exitstatus || "unknown"
+        command_name = args.first || "op"
+        raise OpError, "Command failed: #{command_name} (exit code: #{exit_code})"
+      end
       out
     end
   end

data/lib/opdotenv/railtie.rb CHANGED Viewed

@@ -54,7 +54,9 @@ module Opdotenv
           )
         rescue => e
           # Only log errors, not warnings, to avoid noise in production
-          Rails.logger&.error("Opdotenv: Failed to load #{parsed[:path]}: #{e.message}")
+          # Never log exception messages that might contain secrets from command output
+          # Use exception class name instead of message for security
+          Rails.logger&.error("Opdotenv: Failed to load #{parsed[:path]}: #{e.class.name}")
         end
       end
     end

data/lib/opdotenv/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Opdotenv
-  VERSION = "1.0.1"
+  VERSION = "1.0.2"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: opdotenv
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - amkisko