发表新帖
发表新帖

How to hide .env passwords in Laravel whoops output?

后端 未结
关注
10 1635
攒了一身酷
攒了一身酷 2020-12-07 10:48

How can I hide my passwords and other sensitive environment variables on-screen in Laravel\'s whoops output?

Sometimes other people are looking at my development wor

相关标签:
10条回答
  • 余生分开走
    2020-12-07 11:04

    I've made a package to solve this problem.

    Just install it using

    composer require glaivepro/hidevara

    Most of the server and all the env variables will be removed. Any password-like fields in $_POST will have their values hidden.

    You can also customize it in either blacklist or whitelist approach to show/obfuscate/remove fields however you like.

    0 讨论(0)
  • 终归单人心
    2020-12-07 11:06

    Laravel 5.6 not works for my. but this works:

    $envKeys = [];
$serverKeys = [];
$cookieKeys = [];
foreach ( $_ENV as $key => $value ) { if(is_string($value)) $envKeys[] = $key; }
foreach ( $_SERVER as $key => $value ) { if(is_string($value)) $serverKeys[] = $key; }
foreach ( $_COOKIE as $key => $value ) { if(is_string($value)) $cookieKeys[] = $key; }

return [

    // ...

    'debug_blacklist' => [
        '_COOKIE'   => $cookieKeys,
        '_SERVER'   => $serverKeys,
        '_ENV'      => $envKeys,
    ],
];

    I would be grateful for a better solution.

    0 讨论(0)
  • 庸人自扰
    2020-12-07 11:10

    I struggled with this too for a bit on a dev machine. my solution was to edit vendor/filp/whoops/src/Whoops/Handler/PrettyPageHandler.php and add in:

    public function sanitizePrivate($data, $badwords){
    foreach ($data as $key=>$value) {
       
        foreach ($badwords as $keyword) {
               // dd($key);
            if (strpos(strtolower($key), $keyword) !== FALSE) {
                $data[$key] = "***************";
            }
        }
    }
    return $data;
}

    This converts all the incoming data to lowercase and then searches for partial matches so you don't have to specify every variation of password variable names. Then in the handle() function, define terms you want to exclude.

    $badwords = array("password", "pwd", "secret", "key", "token", "salt", "mail");
$_SERVER=$this->sanitizePrivate($_SERVER, $badwords);
$_ENV=$this->sanitizePrivate($_ENV, $badwords);
    0 讨论(0)
  • 春和景丽
    2020-12-07 11:15

    First of all, love the solution by Jeff above.

    2nd, if like me you wanna hide all the env variables while still use whoops, here is a solution:

    'debug_blacklist' => [
        '_COOKIE' => array_keys($_COOKIE),
        '_SERVER' => array_keys($_SERVER),
        '_ENV' => array_keys($_ENV),        
    ],

    Output:

    EDIT:

    1. Legend has it that since laravel 7x you would need debug_hide key instead
    2. If you want to hide session and cookies in Ignition (as newer versions of laravel use flare/ignition for errors), use this: Laravel / Ignition: How to hide Session info from Request Tab?
    0 讨论(0)
 看不清?
提交回复
热议问题