feature_request(security): don’t print credentials

[Kristinita]

1. Summary

It would be nice if grunt-shell-spawn will not print credentials like API keys, passwords and tokens to console.

2. Justification of the need of the feature

grunt-shell-spawn/tasks/shell.js

Lines 165 to 168 in 4a3dbb8

	} else if (code !== 0 && options.failOnError && !killed[target]){
	grunt.warn('Done, with errors: command "' + data.command + '" (target "' + target +
	'") exited with code ' + code + '.');
	done();

If a command exits with non-zero exit code, grunt-shell-spawn prints full command to console even if stderr: false and stdout: false. A command may contain credentials. If a user run commands on a CI with public logs, credentials values are publicly available.

3. MCVE

3.1. Demonstration

You can see this configuration on the KiraShellHideCredentials branch of my repository for debugging and demonstrations.

1. Travis CI build
2. AppVeyor CI build

3.2. Files

Gruntfile.coffee:

module.exports = (grunt) ->

	# [INFO] Initialize Dotenvx:
	# https://dotenvx.com/docs/advanced/config
	require("@dotenvx/dotenvx").config()

	grunt.loadNpmTasks "grunt-shell-spawn"

	grunt.initConfig

		shell:
			whoiskira:
				command: "<%= process.env.KIRA %>"
				options:
					stderr: false
					stdout: false

.env:

DOTENV_PUBLIC_KEY=02b182e5caff58c80e32cd37a8973014ab5273c2bd96784b4289e54e37bff7cda5

# [INFO] The variable “KIRA” with encrypted value “Goddess”
KIRA=encrypted:BOdqO1/TTHfqMVuIcT+zgUJYODnVOgQN9PwulvSTGt2p5scJhbf6xEGw49NIoo7F3n9Mjl/vMW1IMjtGjkePxwqIsoc/wF1rgVyAU+rvTw2hGbk+ID/K59YEcxlOa7vRgEXAtQvOcmU=

3.3. Steps to reproduce

1. I encrypt the value of the KIRA variable use Dotenvx.
2. I run the command grunt shell:whoiskira

3.4. Current behavior

See my Appveyor and Travis builds for details.

grunt shell:whoiskira

[dotenvx@1.41.0] injecting env (2) from .env

Running "shell:whoiskira" (shell) task

Warning: Done, with errors: command "Goddess" (target "whoiskira") exited with code 127. Use --force to continue.

Aborted due to warnings.

grunt-shell-spawn prints to console Goddess — decrypted value of the KIRA variable. In real-world examples grunt-shell-spawn prints to console API keys and tokens, if a command exits with non-zero exit code.

4. Example of desired behavior

For example, it would be nice if grunt-shell-spawn will have the option like hideEnvironmentVariables:

			options:
+				hideEnvironmentVariables: true
				stderr: false

If true, grunt-shell-spawn will hide environment variables:

- Warning: Done, with errors: command "Goddess" (target "whoiskira") exited with code 127. Use --force to continue.
+ Warning: Done, with errors: command "[secure_variable]" (target "whoiskira") exited with code 127. Use --force to continue.

It would be nice to see in console [secure_variable] instead of decrypted value Goddess.

But maybe there are much better ways to hide credentials than the method described in my example.

Thanks.