Skip to content

Latest commit

 

History

History
105 lines (71 loc) · 2.65 KB

README.md

File metadata and controls

105 lines (71 loc) · 2.65 KB

zsh-mask

Masks secrets in your zsh history

Example:

❯ curl -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5c' https://example.com
❯ curl -u foo:bar https://example.com
❯ curl https://foo:[email protected]
❯ AWS_SECRET_ACCESS_KEY=key aws s3 ls s3://example
❯ export DB_PASSWORD=foo
❯ history | tail
 1  curl -H 'Authorization: ...' https://example.com > /dev/null
 2  curl -u ... https://example.com > /dev/null
 3  curl https://[email protected] > /dev/null
 4  AWS_SECRET_ACCESS_KEY=... aws s3 ls s3://example
 5  export DB_PASSWORD=...

ZSH will let you recover the previous command with secrets immediately after execution:

> curl http://username:[email protected]/foo
> # <up-arrow> recovers command with password immediately after execution
> # <up-arrow> recovers masked command here

To exclude any command from history, prefix with a space. It behaves the same as above:

>  echo "prefixed with space"
> # available here on <up-arrow>
> # Not available here 

Control what secrets are catched by setting the environment variable HISTORY_EXCLUDE_PATTERN. If the pattern includes a single group, that group is substituted with .... The default HISTORY_EXCLUDE_PATTERN is

echo $HISTORY_EXCLUDE_PATTERN
^ |//([^/]+:[^/]+)@|KEY[=:] *([^ ]+)|TOKEN[=:] *([^ ]+)|BEARER[=:] *([^ ]+)|PASSWO?R?D?[=:] *([^ ]+)|Authorization[=:] *([^'\"]+)|-us?e?r? ([^:]+:[^:]+) 

it is not case sensitive

Installation

Using Plain zsh

Download zsh-mask.zsh, then add to .zshrc

source /path/to/zsh-mask.zsh

Using Antibody

antibody bundle jgogstad/zsh-mask

Using ZInit

Add the following to .zshrc

zinit light jgogstad/zsh-mask

Using ZPlug

Add the following to .zshrc

zplug 'jgogstad/zsh-mask'

Using Oh My Zsh

git clone https://github.com/jgogstad/zsh-mask ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-mask

Add the following to .zshrc

plugins=(zsh-mask)

Customization

Overwrite HISTORY_EXCLUDE_PATTERN to customize:

export HISTORY_EXCLUDE_PATTERN="^ykchalresp|$HISTORY_EXCLUDE_PATTERN"

The pattern is a regex and it's evaluated with zsh's =~ operator using case insensitive evaluation.