envio icon indicating copy to clipboard operation
envio copied to clipboard
verified publisher icon envio-cli

Remaining clear-text secrets in /tmp

Open jerome-jutteau opened this issue 1 year ago • 2 comments

Hi!

Describe the bug setenv.sh generates a tmp file (using mktemp), clear text secrets are written here, the file is then sourced and deleted.

For some unknown reason, I have cumulated some non-deleted tmp files containing clear-text secrets from my profiles.

To Reproduce

I am not sure how to reproduce this issue. This could occur as my shell is stopped or crash between $TMP_FILE writing and rm "$TMP_FILE".

Expected behavior

Ideally, I would prefer that no file contains clear text secrets.

Device (please complete the following information):

  • OS: macOS 14.3.1 (23D60) on Apple M1 MacBook Air 2020
  • Shell: GNU bash, version 3.2.57(1)-release (arm64-apple-darwin23)
  • CLI Version: 0.5.1

jerome-jutteau avatar Feb 29 '24 13:02 jerome-jutteau

Naively, one solution may be to have setenv.sh run something like:

source "$(envio load --shell bash -n myprofile)"

jerome-jutteau avatar Feb 29 '24 13:02 jerome-jutteau

@jerome-jutteau, I made a few changes to the shell script, so take a look and see if the issue still occurs for you.

humblepenguinn avatar Mar 01 '24 06:03 humblepenguinn