Should we hide all environment variables values in help text?

Question

Should we hide all environment variables values in help text?

itowlson opened this issue 3 years ago · 2 comments

By default, if a Clap argument has an environment variable associated with it, and that environment variable is set, then Clap includes the value in help text (see #62 for examples). We have hidden this for passwords. @bacongobbler has raised the question of whether we should hide it for all arguments.

Answer 1 · 2021-08-09T21:54:27.000Z

Repeating the same question here for posterity:

Could leaking the output of HIPPO_USERNAME and HIPPO_URL be considered leaking private credentials if those values were internal secrets, like HIPPO_URL=https://icantbelieveitsnothippo.com?

Answer 2 · 2021-08-20T15:25:56.000Z

I don't think that they represent enough of a security problem to warrant hiding them (it's "minor information disclosure"), but the debugging value of seeing the HIPPO_URL is pretty high, I think. So I think there is an argument for at least leaving that one.