How to filter out curl commands containing API tokens?

I wonder if there is an safe way to filter out curl commands that contain API tokens, as a backup to what i have been doing adding spaces in front of each command.

I will often use a curl command to test a service API to query to look at output, while I am working with Terraform code. It helps to see the raw feed sometimes.

But I don’t want to save API tokens in Atuin history, and I wonder what syntax I should use for adding to history_filter to get this working?

Would something like ^curl .*Authorization:.* work?

It would need to cover both Authorization: Token and Authorization: Bearer.

That would do it!

history_filter = [
    "^curl .*Authorization:.*'
]

in your config, assuming you have no other filters

Is there (or could there be) a way to just replace the sensitive bit? If the regex had a capture group in it, could it store the command but replace the match with ****** or similar?

There isn’t, but there could be. I’d be concerned about storing a command that executed successfully, but when replayed (and not edited) fails - so we’d need a nice way to work around that. One possibility would be somehow prompting for the value I suppose (env var, literally just type it, something).

I’ve alluded to the fact that Atuin’s e2e encryption + sync would also do quite nicely for storing secrets a few times in the past, capture groups could store it separately to the history + apply different controls on accessing it. But I think that’s a bit much for right now

I found a slight flaw in my regex.

If the example command I copy contains line breaks e.g. \ then it still records them in the history. So I have updated it slightly.

^curl .*\n|.*Authorization:.*

Maybe it would be nice to detect secrets with a tool like GitHub - gitleaks/gitleaks: Protect and discover secrets using Gitleaks 🔑 . or do something similar.

We already do

The set of secrets regex is pretty small though, if anyone fancies adding more I’d happily merge them

See