Support concealing values of sensitive shell variables #865
Description
This is not a request for a new language, but for adding conceal support in sh filetypes to hide/cloak sensitive data, like secrets, keys, tokens, passwords, ...etc.
Link to GitHub repository of Vim plugin
Credit: https://github.com/dhulihan/vim-conceal-secrets/
Is this plugin well maintained?
Yes
Is this plugin lightweight? (no advanced functionality, just indent and syntax support)
Yes, just a syntax file:
syn match shSecret /.*\(PASS\|PASSWORD\|KEY\|TOKEN\|SECRET\)=/ contains=shVariable nextgroup=shSecretValue
syn match shSecretValue /.*/ contained conceal cchar=*Outcome:
FOO=foo
SECRET_KEY=*
API_TOKEN=*
MYSQL_DB_PASS=*However, there are some edge cases with this pattern matching logic:
-
If the variable does not end with one of the pattern matched keywords. For example, the following variables will not match and values will not be concealed:
SECRET_CLIENT_ID=secret-client-id USERNAME_PASSWORD_BASE64ENCODED=VVNFUk5BTUVfUEFTU1dPUkRfQkFTRTY0RU5DT0RFRAo=
-
Depending on the user and/or context, some variables may be considered sensitive. For example:
CERT="-----BEGIN CERTIFICATE-----\nthe-rest-of-my-cert\n-----END CERTIFICATE-----\n" -
Multi-line strings are not entirely concealed. For example, this:
PRIVATE_SSH_KEY="$(cat <<EOF -----BEGIN OPENSSH PRIVATE KEY----- the-rest-of-my-cert -----END OPENSSH PRIVATE KEY----- EOF )"
Will be concealed as:
PRIVATE_SSH_KEY=* -----BEGIN OPENSSH PRIVATE KEY----- the-rest-of-my-cert -----END OPENSSH PRIVATE KEY----- EOF )"
Open to feedback/suggestions on (1) if this is a good idea; if so (2) addressing the edge-cases.