trapdoor 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/README.md +33 -0
- data/lib/fs.rb +21 -0
- data/lib/hash.rb +17 -0
- data/lib/trapdoor.rb +47 -0
- metadata +46 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: fc2362b2a0d309422e3496c6f5d7bc48e43515ff2b69cd5e647455efe932baa9
|
|
4
|
+
data.tar.gz: 15bd431d03de752a46c04ba482be0d4109d6b6bb960bca2ed40675aaae855885
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: a379e920d73e48565ecfad445980935e630e180f311539538e81e913b35214dce869f283ab8f91130f0f6ac4fc9383095fdd09b65ca40b29f4fb3c932cd7aa1f
|
|
7
|
+
data.tar.gz: e565d57865346e4fe8010adfd8e3100d07374ffc384494f6e1bc661f0dbad5d1513a5fb3ded7111b8c368c879a3ee3aa241766dfd536320eda5e3664b31bbd14
|
data/README.md
ADDED
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
# trapdoor
|
|
2
|
+
|
|
3
|
+
trapdoor monkeypatches `ENV` so any secret values are available when asked for by name (i.e. `ENV['SOME_SECRET']`) but are hidden when requested in bulk (i.e. `ENV.to_h`, `ENV.inspect`, iterators). This was designed to be a drop in replacement for codebases that use `ENV` to hold secrets but also use developer tools that may cause these values to be accidentally logged.
|
|
4
|
+
|
|
5
|
+
## Installation
|
|
6
|
+
|
|
7
|
+
1. Add to your Gemfile and install with bundle, or `gem install trapdoor`
|
|
8
|
+
2. `require 'trapdoor'`
|
|
9
|
+
|
|
10
|
+
## Walkthrough
|
|
11
|
+
|
|
12
|
+
Let's start by inspecting the environment in the repl. We can see `SECRET_API_TOKEN` and its value.
|
|
13
|
+
|
|
14
|
+
```
|
|
15
|
+
> ENV
|
|
16
|
+
=> {... "SECRET_API_TOKEN"=>"987tfghjo0987yt"}
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
After loading `trapdoor`, let's tell it to hide this specific value then inspect the environment again.
|
|
20
|
+
|
|
21
|
+
```
|
|
22
|
+
> ENV.hide "SECRET_API_TOKEN"
|
|
23
|
+
> ENV
|
|
24
|
+
=> {... "SECRET_API_TOKEN"=>"**REDACTED**"}
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
But we can see this value can still be accessed just like before:
|
|
28
|
+
```
|
|
29
|
+
> ENV['SECRET_API_TOKEN']
|
|
30
|
+
=> "987tfghjo0987yt"
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
Additionally, we can call `ENV.start_smuggling` to start redacting all new environment variables. This can be useful if you insert sensitive variables into the environment afterwards so that any non-pre loaded values are redacted.
|
data/lib/fs.rb
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
class Secret_FS
|
|
2
|
+
def initialize(base:)
|
|
3
|
+
@base = base
|
|
4
|
+
@cache = {}
|
|
5
|
+
end
|
|
6
|
+
|
|
7
|
+
def [](key)
|
|
8
|
+
return @cache[key] if @cache.include? key
|
|
9
|
+
return @cache[key] = get_secret(secret: key)
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def []=(key, value)
|
|
13
|
+
raise "NOOOOOOOOOO"
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
private
|
|
17
|
+
|
|
18
|
+
def get_secret(secret:)
|
|
19
|
+
open("#{@base}/#{secret.downcase}.txt").read
|
|
20
|
+
end
|
|
21
|
+
end
|
data/lib/hash.rb
ADDED
data/lib/trapdoor.rb
ADDED
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
require './lib/fs'
|
|
2
|
+
require './lib/hash'
|
|
3
|
+
|
|
4
|
+
ENV.instance_eval do
|
|
5
|
+
OLD_ASSIGN = ENV.method(:[]=)
|
|
6
|
+
OLD_HASH = ENV.method(:[])
|
|
7
|
+
OLD_TO_H = ENV.method(:to_h)
|
|
8
|
+
SMUGGLED = {}
|
|
9
|
+
@smuggling = false
|
|
10
|
+
|
|
11
|
+
def start_smuggling(backend:)
|
|
12
|
+
@backend = backend
|
|
13
|
+
@smuggling = true
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def [](key)
|
|
17
|
+
value = OLD_HASH.call key
|
|
18
|
+
return value unless value.nil?
|
|
19
|
+
return @backend[key] if @smuggling
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def []=(key, value)
|
|
23
|
+
if @smuggling
|
|
24
|
+
@backend[key] = value
|
|
25
|
+
else
|
|
26
|
+
OLD_ASSIGN.call(key, value)
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def smuggle(key, value)
|
|
31
|
+
@backend[key] = value
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def hide(key)
|
|
35
|
+
ENV.delete key
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def to_h
|
|
39
|
+
OLD_TO_H.call.merge(@backend.hash.map { |k,v|
|
|
40
|
+
[k, "**REDACTED**"]
|
|
41
|
+
}.to_h)
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def inspect
|
|
45
|
+
to_h.inspect
|
|
46
|
+
end
|
|
47
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: trapdoor
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.4.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- OMAR
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2023-01-22 00:00:00.000000000 Z
|
|
12
|
+
dependencies: []
|
|
13
|
+
description: trapdoor
|
|
14
|
+
email:
|
|
15
|
+
executables: []
|
|
16
|
+
extensions: []
|
|
17
|
+
extra_rdoc_files: []
|
|
18
|
+
files:
|
|
19
|
+
- README.md
|
|
20
|
+
- lib/fs.rb
|
|
21
|
+
- lib/hash.rb
|
|
22
|
+
- lib/trapdoor.rb
|
|
23
|
+
homepage: https://github.com/ancat/trapdoor
|
|
24
|
+
licenses:
|
|
25
|
+
- MIT
|
|
26
|
+
metadata: {}
|
|
27
|
+
post_install_message:
|
|
28
|
+
rdoc_options: []
|
|
29
|
+
require_paths:
|
|
30
|
+
- lib
|
|
31
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
32
|
+
requirements:
|
|
33
|
+
- - ">="
|
|
34
|
+
- !ruby/object:Gem::Version
|
|
35
|
+
version: '2.5'
|
|
36
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - ">="
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '0'
|
|
41
|
+
requirements: []
|
|
42
|
+
rubygems_version: 3.1.6
|
|
43
|
+
signing_key:
|
|
44
|
+
specification_version: 4
|
|
45
|
+
summary: Expose sensitive values to your environment without leaking them
|
|
46
|
+
test_files: []
|