trapdoor 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/README.md +33 -0
- data/lib/fs.rb +21 -0
- data/lib/hash.rb +17 -0
- data/lib/trapdoor.rb +47 -0
- metadata +46 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: fc2362b2a0d309422e3496c6f5d7bc48e43515ff2b69cd5e647455efe932baa9
|
|
4
|
+
data.tar.gz: 15bd431d03de752a46c04ba482be0d4109d6b6bb960bca2ed40675aaae855885
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: a379e920d73e48565ecfad445980935e630e180f311539538e81e913b35214dce869f283ab8f91130f0f6ac4fc9383095fdd09b65ca40b29f4fb3c932cd7aa1f
|
|
7
|
+
data.tar.gz: e565d57865346e4fe8010adfd8e3100d07374ffc384494f6e1bc661f0dbad5d1513a5fb3ded7111b8c368c879a3ee3aa241766dfd536320eda5e3664b31bbd14
|
data/README.md
ADDED
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
# trapdoor
|
|
2
|
+
|
|
3
|
+
trapdoor monkeypatches `ENV` so any secret values are available when asked for by name (i.e. `ENV['SOME_SECRET']`) but are hidden when requested in bulk (i.e. `ENV.to_h`, `ENV.inspect`, iterators). This was designed to be a drop in replacement for codebases that use `ENV` to hold secrets but also use developer tools that may cause these values to be accidentally logged.
|
|
4
|
+
|
|
5
|
+
## Installation
|
|
6
|
+
|
|
7
|
+
1. Add to your Gemfile and install with bundle, or `gem install trapdoor`
|
|
8
|
+
2. `require 'trapdoor'`
|
|
9
|
+
|
|
10
|
+
## Walkthrough
|
|
11
|
+
|
|
12
|
+
Let's start by inspecting the environment in the repl. We can see `SECRET_API_TOKEN` and its value.
|
|
13
|
+
|
|
14
|
+
```
|
|
15
|
+
> ENV
|
|
16
|
+
=> {... "SECRET_API_TOKEN"=>"987tfghjo0987yt"}
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
After loading `trapdoor`, let's tell it to hide this specific value then inspect the environment again.
|
|
20
|
+
|
|
21
|
+
```
|
|
22
|
+
> ENV.hide "SECRET_API_TOKEN"
|
|
23
|
+
> ENV
|
|
24
|
+
=> {... "SECRET_API_TOKEN"=>"**REDACTED**"}
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
But we can see this value can still be accessed just like before:
|
|
28
|
+
```
|
|
29
|
+
> ENV['SECRET_API_TOKEN']
|
|
30
|
+
=> "987tfghjo0987yt"
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
Additionally, we can call `ENV.start_smuggling` to start redacting all new environment variables. This can be useful if you insert sensitive variables into the environment afterwards so that any non-pre loaded values are redacted.
|
data/lib/fs.rb
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
class Secret_FS
|
|
2
|
+
def initialize(base:)
|
|
3
|
+
@base = base
|
|
4
|
+
@cache = {}
|
|
5
|
+
end
|
|
6
|
+
|
|
7
|
+
def [](key)
|
|
8
|
+
return @cache[key] if @cache.include? key
|
|
9
|
+
return @cache[key] = get_secret(secret: key)
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def []=(key, value)
|
|
13
|
+
raise "NOOOOOOOOOO"
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
private
|
|
17
|
+
|
|
18
|
+
def get_secret(secret:)
|
|
19
|
+
open("#{@base}/#{secret.downcase}.txt").read
|
|
20
|
+
end
|
|
21
|
+
end
|
data/lib/hash.rb
ADDED
data/lib/trapdoor.rb
ADDED
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
require './lib/fs'
|
|
2
|
+
require './lib/hash'
|
|
3
|
+
|
|
4
|
+
ENV.instance_eval do
|
|
5
|
+
OLD_ASSIGN = ENV.method(:[]=)
|
|
6
|
+
OLD_HASH = ENV.method(:[])
|
|
7
|
+
OLD_TO_H = ENV.method(:to_h)
|
|
8
|
+
SMUGGLED = {}
|
|
9
|
+
@smuggling = false
|
|
10
|
+
|
|
11
|
+
def start_smuggling(backend:)
|
|
12
|
+
@backend = backend
|
|
13
|
+
@smuggling = true
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def [](key)
|
|
17
|
+
value = OLD_HASH.call key
|
|
18
|
+
return value unless value.nil?
|
|
19
|
+
return @backend[key] if @smuggling
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def []=(key, value)
|
|
23
|
+
if @smuggling
|
|
24
|
+
@backend[key] = value
|
|
25
|
+
else
|
|
26
|
+
OLD_ASSIGN.call(key, value)
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def smuggle(key, value)
|
|
31
|
+
@backend[key] = value
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def hide(key)
|
|
35
|
+
ENV.delete key
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def to_h
|
|
39
|
+
OLD_TO_H.call.merge(@backend.hash.map { |k,v|
|
|
40
|
+
[k, "**REDACTED**"]
|
|
41
|
+
}.to_h)
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def inspect
|
|
45
|
+
to_h.inspect
|
|
46
|
+
end
|
|
47
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: trapdoor
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.4.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- OMAR
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2023-01-22 00:00:00.000000000 Z
|
|
12
|
+
dependencies: []
|
|
13
|
+
description: trapdoor
|
|
14
|
+
email:
|
|
15
|
+
executables: []
|
|
16
|
+
extensions: []
|
|
17
|
+
extra_rdoc_files: []
|
|
18
|
+
files:
|
|
19
|
+
- README.md
|
|
20
|
+
- lib/fs.rb
|
|
21
|
+
- lib/hash.rb
|
|
22
|
+
- lib/trapdoor.rb
|
|
23
|
+
homepage: https://github.com/ancat/trapdoor
|
|
24
|
+
licenses:
|
|
25
|
+
- MIT
|
|
26
|
+
metadata: {}
|
|
27
|
+
post_install_message:
|
|
28
|
+
rdoc_options: []
|
|
29
|
+
require_paths:
|
|
30
|
+
- lib
|
|
31
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
32
|
+
requirements:
|
|
33
|
+
- - ">="
|
|
34
|
+
- !ruby/object:Gem::Version
|
|
35
|
+
version: '2.5'
|
|
36
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - ">="
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '0'
|
|
41
|
+
requirements: []
|
|
42
|
+
rubygems_version: 3.1.6
|
|
43
|
+
signing_key:
|
|
44
|
+
specification_version: 4
|
|
45
|
+
summary: Expose sensitive values to your environment without leaking them
|
|
46
|
+
test_files: []
|