1

Probably a small shell script problem:  I am trying to avoid printing secret values to console output or logs. I have to read a file line by line, then replace any variable values in every line and write output to a new file.

Here is my code to read and write but the problem is that input.txt contains secret variables that are coming from another system or let's environment variables.

source ./environment

while read line;
    do eval echo \"$line\";
done < input.txt > output.txt

./environment file contains some variable values.

here is how input.txt looks like:

projectName=Alpha
apiKey=${SECREST_APIKEY}
userKey=${SECRET_USERKEY}
projectVersion={$VERSION}
requesterEmail=

Colsole logs:

...
+ read line
+ eval echo '"projectName=Alpha"'
++ echo projectName=Alpha
projectName=Alpha
+ read line
+ eval echo '"apiKey=${CFG_APIKEY}"'
++ echo apiKey=blablablablablabla
+ read line
+ eval echo '"userKey=${CFG_USERKEY}"'
++ echo userKey=keyKEYkey
...

But the console logs print everything including the secret. I know it is because of echo in my code but I do not know what is the alternate solution here. Please direct me if this problem was already covered in another question.

unawaz
  • 69
  • 1
  • 6
  • 1
    Please do not use `while read line; do eval echo \"$line\"; done < input.txt > output.txt`. It breaks on multiline commands. Why not just execute `input.txt` as `bash input.txt` Or if you want it in the current shell, `source` it? – anishsane Oct 23 '20 at 12:12
  • 4
    output that you show, with `+` and `++` looks like output from using `set -vx` (or `set -x`). Turn that off by putting `set +vx` before the loop. But yes, read about sourcing files, which you can do with `. myFile` or `source myFile`. Good luck. – shellter Oct 23 '20 at 12:57
  • It might also be possible to replace non-static variables using `envsubst` command. – unawaz Oct 26 '20 at 18:13

0 Answers0