将凭据安全地传递给命令行实用程序。

huangapple go评论66阅读模式
英文:

Securely pass credentials to command-line utility

问题

Sure, here's the translated code portion without any additional content:

curl -s 'https://api.cloudflare.com/client/v4/zones/{zone_identifier}/logpush/jobs' \
-H "X-Auth-Email: carl@example.com" \
-H "X-Auth-Key: abc123"

Please note that I will only provide translations for the code and not answer the question you want to translate.

英文:
curl -s 'https://api.cloudflare.com/client/v4/zones/{zone_identifier}/logpush/jobs' \
-H "X-Auth-Email: carl@example.com" \
-H "X-Auth-Key: abc123"

If I run this, the secret string abc123 leaks up in three places:

  • Shell history
  • Terminal output
  • ps output

I can replace the hardcoded password with something like $(pass show cloudflare-api-key), in which case the password only leaks in ps output. This is still bad, as an unprivileged daemon on my machine could steal my credentials.

Is there a handy way to pass credentials to a command-line utility in an ad-hoc fashion such that the credential doesn't leak to ps either?

答案1

得分: 2

Curl可以从标准输入读取标志,所以假设你的密码不包含换行符:

pass show cloudflare-api-key \
  | sed -ne 's/"/\\"/g' -e '1s/.*/-H "X-Auth-Key: &"/p' \
  | curl -K- <其他选项>

pass中的文件可能包含密码下面的其他字段,所以我确保sed只显示第一行。这个sed表达式非常简单:首先我们转义密码内的所有双引号,然后将密码放入curl -H选项的参数中。这可以很容易地扩展到从pass中提取其他字段,比如电子邮件:

$ printf %s\\n '12"3' 'email: foo@bar.com' \
  | sed -ne 's/&quot;/\\&quot;/g' -e '1s/.*/-H "X-Auth-Key: &amp;"/p' -e 's/^email: \(.*\)/-H "X-Auth-Email: "/p'
-H "X-Auth-Key: 12\&quot;3"
-H "X-Auth-Email: foo@bar.com"
英文:

Curl can read flags from stdin, so assuming your password doesn't contain newlines:

pass show cloudflare-api-key \
  | sed -ne &#39;s/&quot;/\\&quot;/g&#39; -e &#39;1s/.*/-H &quot;X-Auth-Key: &amp;&quot;/p&#39; \
  | curl -K- &lt;other options&gt;

Files in pass may include other fields below the password, so I made sure that sed only shows the first line. The sed expression is pretty simple: first we escape all of the double quotes inside the password, then we put the password inside curl -H option's argument. This can be easily extended to pull other fields, like email, from pass as well:

$ printf %s\\n &#39;12&quot;3&#39; &#39;email: foo@bar.com&#39; \
  | sed -ne &#39;s/&quot;/\\&quot;/g&#39; -e &#39;1s/.*/-H &quot;X-Auth-Key: &amp;&quot;/p&#39; -e &#39;s/^email: \(.*\)/-H &quot;X-Auth-Email: &quot;/p&#39;
-H &quot;X-Auth-Key: 12\&quot;3&quot;
-H &quot;X-Auth-Email: foo@bar.com&quot;

huangapple
  • 本文由 发表于 2023年4月13日 23:56:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76007492.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定