[英]How to hide .env passwords in Laravel whoops output?
How can I hide my passwords and other sensitive environment variables on-screen in Laravel's whoops output?如何在 Laravel 的 whoops 输出中在屏幕上隐藏我的密码和其他敏感环境变量?
Sometimes other people are looking at my development work.有时其他人正在查看我的开发工作。 I don't want them to see these secrets if an exception is thrown, but I also don't want to have to keep toggling debug on and off, or spin up a dedicated site just for a quick preview.
如果抛出异常,我不希望他们看到这些秘密,但我也不想一直打开和关闭调试,或者为了快速预览而启动专用站点。
As of Laravel 5.5.13 , you can censor variables by listing them under the key debug_blacklist
in config/app.php
.从Laravel 5.5.13 开始,您可以通过在
config/app.php
debug_blacklist
键debug_blacklist
变量来审查变量。 When an exception is thrown, whoops will mask these values with asterisks *
for each character.当抛出异常时,whoops 将为每个字符用星号
*
屏蔽这些值。
For example, given this config/app.php
例如,给定这个
config/app.php
return [
// ...
'debug_blacklist' => [
'_ENV' => [
'APP_KEY',
'DB_PASSWORD',
'REDIS_PASSWORD',
'MAIL_PASSWORD',
'PUSHER_APP_KEY',
'PUSHER_APP_SECRET',
],
'_SERVER' => [
'APP_KEY',
'DB_PASSWORD',
'REDIS_PASSWORD',
'MAIL_PASSWORD',
'PUSHER_APP_KEY',
'PUSHER_APP_SECRET',
],
'_POST' => [
'password',
],
],
];
Results in this output:此输出中的结果:
First of all, love the solution by Jeff above.首先,喜欢上面 Jeff 的解决方案。
2nd, if like me you wanna hide all the env variables
while still use whoops, here is a solution:第二,如果像我一样你想在仍然使用 whoops 的同时隐藏所有
env variables
,这里有一个解决方案:
'debug_blacklist' => [
'_COOKIE' => array_keys($_COOKIE),
'_SERVER' => array_keys($_SERVER),
'_ENV' => array_keys($_ENV),
],
Output:输出:
EDIT:编辑:
debug_hide
key insteaddebug_hide
键来代替Thanks Jeff and Raheel for helping out, but I just found a little gotcha:感谢 Jeff 和 Raheel 提供帮助,但我发现了一个小问题:
Even if I clear out all environment keys from _ENV
, the same keys are STILL exposed through the _SERVER
variables listed.即使我从
_ENV
清除了所有环境键,相同的键仍然通过列出的_SERVER
变量公开。
Adding the code below in config/app.php
would hide all environment variables from the whoops page:在
config/app.php
添加以下代码将隐藏 whoops 页面中的所有环境变量:
'debug_blacklist' => [
'_SERVER' => array_keys($_ENV),
'_ENV' => array_keys($_ENV),
],
The solution by @jeff + @raheel is great!!! @jeff + @raheel 的解决方案很棒!!! On a project recently we found we sometimes wanted to whitelist a property or two, so building on the above, you can whitelist specific properties you want to debug with something like:
在最近的一个项目中,我们发现我们有时想将一两个属性列入白名单,因此在上述基础上,您可以使用以下内容将要调试的特定属性列入白名单:
'debug_blacklist' => [
'_COOKIE' => array_diff(array_keys($_COOKIE), array()),
'_SERVER' => array_diff(array_keys($_SERVER), array('APP_URL', 'QUERY_STRING')),
'_ENV' => array_diff(array_keys($_ENV), array()),
],
If you want to allow that list to be configured via .env, you can do something like:如果您想允许通过 .env 配置该列表,您可以执行以下操作:
'debug_blacklist' => [
'_COOKIE' => array_diff(
array_keys($_COOKIE),
explode(",", env('DEBUG_COOKIE_WHITELIST', ""))
),
'_SERVER' => array_diff(
array_keys($_SERVER),
explode(",", env('DEBUG_SERVER_WHITELIST', ""))
),
'_ENV' => array_diff(
array_keys($_ENV),
explode(",", env('DEBUG_ENV_WHITELIST', ""))
),
],
Then in your .env, do something like:然后在您的 .env 中,执行以下操作:
DEBUG_SERVER_WHITELIST="APP_URL,QUERY_STRING"
Cheers!干杯!
I've made a package to solve this problem.我做了一个包来解决这个问题。
Just install it using只需使用安装它
composer require glaivepro/hidevara
Most of the server and all the env variables will be removed.大多数服务器和所有 env 变量都将被删除。 Any password-like fields in
$_POST
will have their values hidden. $_POST
任何类似密码的字段都将隐藏其值。
You can also customize it in either blacklist or whitelist approach to show/obfuscate/remove fields however you like.您还可以使用黑名单或白名单方法对其进行自定义,以根据需要显示/混淆/删除字段。
Usually for local development, we should set the APP_DEBUG environment variable to true .通常对于本地开发,我们应该将APP_DEBUG环境变量设置为true 。 So that we can have better insights of the debugging error and warnings.
以便我们可以更好地了解调试错误和警告。
But in the production environment, this value should always be false .但在生产环境中,该值应始终为false 。 If the value is set to true in production, you risk exposing sensitive env passwords to your application's end users.
如果该值在生产中设置为true ,则您可能会将敏感的 env 密码暴露给应用程序的最终用户。
As of Laravel 5.5.x also provides a solution for it.从 Laravel 5.5.x 开始,也为它提供了解决方案。
You just need to add the debug_blacklist
option in your config/app.php
configuration file.您只需要在
config/app.php
配置文件中添加debug_blacklist
选项。 After adding this option, Laravel will blacklist all the keys mentioned in debug_blacklist
option with asterisk.添加此选项后,Laravel 会将
debug_blacklist
选项中提到的所有键都用星号列入黑名单。
You can use it with two ways:您可以通过两种方式使用它:
return [
// ...
'debug_blacklist' => [
'_ENV' => [
'APP_KEY',
'DB_PASSWORD',
],
'_SERVER' => [
'APP_KEY',
'DB_PASSWORD',
],
'_POST' => [
'password',
],
],
];
return [
// ...
'debug_blacklist' => [
'_COOKIE' => array_keys($_COOKIE),
'_SERVER' => array_keys($_SERVER),
'_ENV' => array_keys($_ENV),
],
]
Reference Taken From : https://techjeni.com/how-to-secure-and-hide-env-passwords-from-laravel-debug-output/参考资料来自: https : //techjeni.com/how-to-secure-and-hide-env-passwords-from-laravel-debug-output/
Laravel 5.6 not works for my. Laravel 5.6 不适用于我的。 but this works:
但这有效:
$envKeys = [];
$serverKeys = [];
$cookieKeys = [];
foreach ( $_ENV as $key => $value ) { if(is_string($value)) $envKeys[] = $key; }
foreach ( $_SERVER as $key => $value ) { if(is_string($value)) $serverKeys[] = $key; }
foreach ( $_COOKIE as $key => $value ) { if(is_string($value)) $cookieKeys[] = $key; }
return [
// ...
'debug_blacklist' => [
'_COOKIE' => $cookieKeys,
'_SERVER' => $serverKeys,
'_ENV' => $envKeys,
],
];
I would be grateful for a better solution.如果有更好的解决方案,我将不胜感激。
Just Change只是改变
APP_DEBUG=true
To:至:
APP_DEBUG=false
In the .env file.在 .env 文件中。
For Laravel 5.6-5.8:对于 Laravel 5.6-5.8:
'debug_blacklist' => [
'_COOKIE' => array_keys(array_filter($_COOKIE, function($value) {return is_string($value);})),
'_SERVER' => array_keys(array_filter($_SERVER, function($value) {return is_string($value);})),
'_ENV' => array_keys(array_filter($_ENV, function($value) {return is_string($value);})),
],
I am also facing this issue in production environment, Laravel 5.7 https://laravel.com/docs/5.7/configuration我在生产环境中也面临这个问题,Laravel 5.7 https://laravel.com/docs/5.7/configuration
Here 3 ways we can reslove this issue.这里有 3 种方法可以解决这个问题。
config/app.php file add below line of code config/app.php文件添加下面的代码行
TIPS #1: Block List for all variable提示 #1:所有变量的块列表
'debug_blacklist' => [
'_COOKIE' => array_keys($_COOKIE),
'_SERVER' => array_keys($_SERVER),
'_ENV' => array_keys($_ENV),
],
TIPS #2: Block List for specific varaibles (Best Practice)提示 #2:特定变量的阻止列表(最佳实践)
return [
// ...
'_ENV' => [
'APP_KEY',
'DB_PASSWORD',
'REDIS_PASSWORD',
'MAIL_PASSWORD',
'PUSHER_APP_KEY',
'PUSHER_APP_SECRET',
'AWS_APP_SECRET',
'S3_BUCKET_SECRET',
'SOCKET_APP_SECRET',
'TWILIO_APP_SECRET',
],
'_SERVER' => [
'APP_KEY',
'DB_PASSWORD',
],
'_POST' => [
'password',
],
]
TIPS #3: Debug variable TIPS #3:调试变量
APP_DEBUG=true to APP_DEBUG=false APP_DEBUG=true 到 APP_DEBUG=false
NOTE:注意:
Production enviroment keep always Debug False
生产环境一直保持Debug False
There's a lot of great answers here (credits to @Jeff and @Raheel and @Benjamin and everyone else), but I would like to have a bit more flexible and universal solution.这里有很多很棒的答案(感谢@Jeff 和@Raheel 和@Benjamin 以及其他所有人),但我想有一个更灵活和通用的解决方案。 I extended this snippet intended for the config/app.php file even further:
我进一步扩展了用于config/app.php文件的这个片段:
$debug_blacklist=array();
if(env("DEBUG_VAR_LISTING")!==null)
foreach(explode(",", env("DEBUG_VAR_LISTING", "")) as $i){
global ${"_{$i}"};
if(env("DEBUG_VAR_BLACKLIST_{$i}")!==null)
$debug_blacklist["_{$i}"]=explode(",", env("DEBUG_VAR_BLACKLIST_{$i}", ""));
elseif(env("DEBUG_VAR_WHITELIST_{$i}")!==null)
$debug_blacklist["_{$i}"]=array_diff(
array_keys(${"_{$i}"}),
explode(",", env("DEBUG_VAR_WHITELIST_{$i}", ""))
);
}
return [
'debug_blacklist' => $debug_blacklist,
];
Then you can blacklist and whitelist directly in .env and only if and what you need.然后,您可以直接在.env中加入黑名单和白名单,并且仅当您需要时。
So if you don't really need anything from $_ENV you can block all variables and for example just passwords in $_POST , but show APP_URL
and QUERY_STRING
from $_SERVER :因此,如果您真的不需要$_ENV 中的任何内容,您可以阻止所有变量,例如$_POST 中的密码,但显示$_SERVER 中的
APP_URL
和QUERY_STRING
:
DEBUG_VAR_LISTING="SERVER,ENV,POST,COOKIE"
DEBUG_VAR_WHITELIST_SERVER="APP_URL,QUERY_STRING"
DEBUG_VAR_WHITELIST_ENV=""
DEBUG_VAR_BLACKLIST_POST="password"
I struggled with this too for a bit on a dev machine.我在开发机器上也遇到了这个问题。 my solution was to edit
vendor/filp/whoops/src/Whoops/Handler/PrettyPageHandler.php
and add in:我的解决方案是编辑
vendor/filp/whoops/src/Whoops/Handler/PrettyPageHandler.php
并添加:
public function sanitizePrivate($data, $badwords){
foreach ($data as $key=>$value) {
foreach ($badwords as $keyword) {
// dd($key);
if (strpos(strtolower($key), $keyword) !== FALSE) {
$data[$key] = "***************";
}
}
}
return $data;
}
This converts all the incoming data to lowercase and then searches for partial matches so you don't have to specify every variation of password variable names.这会将所有传入数据转换为小写,然后搜索部分匹配项,因此您不必指定密码变量名称的每个变体。 Then in the
handle()
function, define terms you want to exclude.然后在
handle()
函数中,定义要排除的术语。
$badwords = array("password", "pwd", "secret", "key", "token", "salt", "mail");
$_SERVER=$this->sanitizePrivate($_SERVER, $badwords);
$_ENV=$this->sanitizePrivate($_ENV, $badwords);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.