Multi-line .env values visible in incognito window


#1

My application requires a private key, which I’d very much like to keep hidden. I include that key in my .env file, but when opening the project from an incognito window (where I would expect to see all files except .env and .data, correct?) I see a somewhat corrupted version of .env, and the sensitive content is very much still there.

In case it’s related to the content, I have:

# API key.
API_KEY="<<< SECRET STUFF HERE >>>"

# Private key.
PRIVATE_KEY=$(cat <<'END_HEREDOC'
  
  <<< SECRET STUFF HERE >>>

END_HEREDOC
)

When opening the project in incognito, the .env file is there, the $(cat <<'END_HEREDOC' text is missing, and the private key itself is visible.

Here’s a link, where I’ve removed the parts I’m concerned about:


#2

Ok, I see now that Glitch is not able to obscure multi-line env values. I was able to work around that by editing my private key to a single line, but it would be easier for others to remix my project if that weren’t necessary.

It would be great if multi-line .env values could be hidden correctly, as I could very easily have missed something like this.


#4

ya the logic we’re using to mask env values is pretty basic, I’ll add support for parsing out multiline strings using cat to our backlog


#5

Thanks! I think another option (maybe simpler?) would be to use a CodeMirror overlay to make some mask-ey effect on values, with the same single-line-only logic used for redacting, so it’s more transparent to the author what is and is not redacted.