#3445 PR merged: Do not show secrets in the dump workflow without --expose-secrets¶

Labels: bug, fixed / solved / done

jsmeix opened issue at 2025-04-03 15:55:¶

• Type: Bug Fix

• Impact: High

• Reference to related issue (URL):
  https://github.com/rear/rear/issues/3444

• How was this pull request tested?

With

{ BACKUP_PROG_CRYPT_KEY='my_backup_crypt_key' ; } 2>>/dev/$SECRET_OUTPUT_DEV

in local.conf
I get

# usr/sbin/rear dump | egrep 'BACKUP_PROG_CRYPT_KEY|OUTPUT_LFTP_PASSWORD'

[no output]

versus

# usr/sbin/rear -e dump | egrep 'BACKUP_PROG_CRYPT_KEY|OUTPUT_LFTP_PASSWORD'

  BACKUP_PROG_CRYPT_KEY="my_backup_crypt_key"
  OUTPUT_LFTP_PASSWORD=""

• Description of the changes in this pull request:

In lib/dump-workflow.sh
do not show the value of variables
which could contain secret values
unless sbin/rear was called with --expose-secrets.

To implement this in a generic way
a new array SECRET_VARIABLES gets set in default.conf
which contains the names of those variables
which could contain secret values, see
https://github.com/rear/rear/issues/2967#issuecomment-1497382823

If needed the user can add more names to this array.

jsmeix commented at 2025-04-07 12:32:¶

@rear/contributors
I would like to merge it soon today.

jsmeix commented at 2025-04-07 12:34:¶

The only thing which really matters here is
the name of the new config variable

SECRET_VARIABLES

because we cannot easily change the user interface.

Anything else is ReaR internal which can be changed
as needed at any time later as we like.

---

[Export of Github issue for rear/rear.]