From e92517df50a7450ec51f2dbb872f89034e90e6d4 Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Sun, 10 Jun 2018 00:24:34 +1200 Subject: Completely refactor for version 1.0.0 Turn off leaky options globally just after startup if we have only one file to edit and it matches the typical pass(1) path. --- README.markdown | 13 +++++----- VERSION | 2 +- doc/redact_pass.txt | 30 +++++++++++----------- plugin/redact_pass.vim | 67 ++++++++++++++++++++++++++++---------------------- 4 files changed, 61 insertions(+), 51 deletions(-) diff --git a/README.markdown b/README.markdown index 8087640..eeee26b 100644 --- a/README.markdown +++ b/README.markdown @@ -1,17 +1,16 @@ redact\_pass.vim ================ -This plugin switches off the` 'viminfo'`, `'backup'`, `'swapfile'`, and -`'undofile'` options locally for the buffer when editing passwords in the -`pass(1)` password manager, or a comparable tool if `g:redact_pass_pattern` is -set beforehand. +This plugin switches off the 'viminfo', 'backup', 'writebackup', 'swapfile', +and 'undofile' options globally when editing a password in `pass(1)`. This is to prevent anyone being able to extract passwords from your Vim cache files in the event of a compromise. -Test this carefully to make sure it works! If it doesn't, it is probably -because you need to set `g:redact_pass_pattern` to fit your system's behaviour, -or the plugin hasn't loaded at all. +You should test this after installed to ensure you see this message is printed +whenever you `pass edit`: + +> Editing password file--disabled leaky options! License ------- diff --git a/VERSION b/VERSION index 6e8bf73..3eefcb9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.1.0 +1.0.0 diff --git a/doc/redact_pass.txt b/doc/redact_pass.txt index 2676129..87df5ec 100644 --- a/doc/redact_pass.txt +++ b/doc/redact_pass.txt @@ -1,32 +1,34 @@ -*redact_pass.txt* For Vim version 6.0 Last change: 2018 June 6 +*redact_pass.txt* For Vim version 6.0 Last change: 2018 June 10 DESCRIPTION *redact_pass* -This plugin switches off the 'viminfo', 'backup', 'swapfile', and 'undofile' -options locally for the buffer when editing passwords in the `pass(1)` -password manager, or a comparable tool if `g:redact_pass_pattern` is set -beforehand. +This plugin switches off the 'viminfo', 'backup', 'writebackup', 'swapfile', +and 'undofile' options globally when editing a password in `pass(1)`. This is to prevent anyone being able to extract passwords from your Vim cache files in the event of a compromise. -Test this carefully to make sure it works! If it doesn't, it is probably -because you need to set `g:redact_pass_pattern` to fit your system's -behaviour, or the plugin hasn't loaded at all. +You should test this after installed to ensure you see this message is printed +whenever you `pass edit`: + +> Editing password file--disabled leaky options! REQUIREMENTS *redact_pass-requirements* This plugin is only available if 'compatible' is not set. It also requires the |+autocmd| feature. -OPTIONS *redact_pass-options* +IMPLEMENTATION *redact_pass-implementation* -There is one options you can set in your |vimrc| before loading the plugin: +The options are disabled globally rather than attempting to set them local to +the buffer only, which was the flawed approach of previous versions. This is +mostly because of the 'viminfo' option; it's global, and there's no meaningful +way to exclude information from the sensitive buffer from appearing in it. - *g:redact_pass_backup* -Set `g:redact_pass_pattern` to specify the path pattern for which the options -should be disabled. This defaults to a value based on the source code of -`pass(1)`. +Because the typical use case for editing a password file in Vim is that you +load and change a single short document, and then quit, it's more sensible to +just turn the relevant options off completely, and makes what the plugin is +doing more reliable and straightforward to understand. AUTHOR *redact_pass-author* diff --git a/plugin/redact_pass.vim b/plugin/redact_pass.vim index 75776d6..66916a7 100644 --- a/plugin/redact_pass.vim +++ b/plugin/redact_pass.vim @@ -1,15 +1,10 @@ " -" redact_pass.vim: Switch off the 'viminfo', 'backup', 'swapfile', and -" 'undofile' when editing passwords in the pass(1) password manager, or a -" comparable tool if g:redact_pass_pattern is set beforehand. +" redact_pass.vim: Switch off the 'viminfo', 'backup', 'writebackup', +" 'swapfile', and 'undofile' globally when editing a password in pass(1). " " This is to prevent anyone being able to extract passwords from your Vim " cache files in the event of a compromise. " -" Test this carefully to make sure it works! If it doesn't, it is probably -" because you need to set g:redact_pass_pattern to fit your system's -" behaviour, or the plugin hasn't loaded at all. -" " Author: Tom Ryder " License: Same as Vim itself " @@ -21,37 +16,51 @@ if !has('autocmd') endif let g:loaded_redact_pass = 1 -" Set g:redact_pass_pattern to a default based on the pass(1) code, if it -" hasn't already been set -if !exists('g:redact_pass_pattern') - let g:redact_pass_pattern - \ = '/dev/shm/pass.*/*,$TMPDIR/pass.*/*,/tmp/pass.*/*' -endif +" Pattern to match for the portion of the path after the temporary dir, +" starting with the leading slash +let s:pattern = '\m\C/pass\.[^/]\+/[^/]\+\.txt$' -" Function to switch the options off for just the current buffer -function! s:RedactPass() +" Check whether the given dir name is not an empty string, whether the first +" file in the argument list is within the named dir, and that the whole path +" matches the above pattern immediately after that dir name +function! s:PassPath(root) + return strlen(a:root) + \ && stridx(argv(0), a:root) == 0 + \ && strlen(a:root) == match(argv(0), s:pattern) +endfunction - " Unset options - setlocal nobackup - setlocal nowritebackup - setlocal noswapfile - if has('viminfo') - setlocal viminfo= +" Check whether we should set redacting options or not +function! s:CheckArgsRedact() + + " Short-circuit unless we're editing just one file and it looks like a path + " in one of the three expected directories; we're trying hard to make sure + " this really is a password file and we're not messing with the user's + " precious settings unnecessarily + if argc() != 1 + \ || !s:PassPath('/dev/shm') + \ && !s:PassPath($TMPDIR) + \ && !s:PassPath('/tmp') + return endif + + " Disable all the leaky options globally + set nobackup + set nowritebackup + set noswapfile + set viminfo= if has('persistent_undo') - setlocal noundofile + set noundofile endif - " Set a buffer variable to say we were here, for debugging - let b:redact_pass_active = 1 + " Tell the user what we're doing so they know this worked, via a message and + " a global variable they can check + echomsg 'Editing password file--disabled leaky options!' + let g:redact_pass_redacted = 1 endfunction -" Automatic command to use the function based on filename pattern -let s:command = 'autocmd BufNewFile,BufReadPre ' - \ . g:redact_pass_pattern - \ . ' call s:RedactPass()' +" Auto function loads only when Vim starts up augroup redact_pass autocmd! - execute s:command + autocmd VimEnter * call s:CheckArgsRedact() augroup END -- cgit v1.2.3