add environment privacy options

README.md

@@ -58,6 +58,9 @@ If you plan to use the `RUNNER_OUTFD_PID` and `RUNNER_OUTFD_STD[OUT|ERR]` variab
 - `-version`: Print version and exit.
 - `-work-dir string`: Set the working directory for the program.
 
+- `RUNNER_CENSOR_ENV` (environment variable only): Colon-separated list of environment variables whose values will be censored in output.
+- `RUNNER_HIDE_ENV` (environment variable only): Colon-separated list of environment variables which will be entirely omitted from output.
+
 #### Run as another user
 
 - `-gid int`: Run the program as the given GID. Ignored on Windows. (If provided, runner must be run as `root` or with `CAP_SETGID`.)

envprivacy.go

@@ -0,0 +1,42 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+)
+
+const (
+	minLenForCensorHint = 5
+)
+
+func hiddenEnvVars() []string {
+	return strings.Split(os.Getenv(HideEnvVarsEnvVar), ":")
+}
+
+func censoredEnvVars() []string {
+	return strings.Split(os.Getenv(CensorEnvVarsEnvVar), ":")
+}
+
+func shouldHideEnvVar(varName string) bool {
+	return stringSliceContains(hiddenEnvVars(), varName)
+}
+
+func censoredEnvVarValue(varName, value string) string {
+	if !stringSliceContains(censoredEnvVars(), varName) && varName != SMTPPassEnvVar {
+		return value
+	}
+	if len(value) < minLenForCensorHint {
+		return fmt.Sprintf("[%d chars]", len(value))
+	}
+	return fmt.Sprintf("%c[%d chars]%c", value[0], len(value)-2, value[len(value)-1])
+}
+
+func stringSliceContains(slice []string, value string) bool {
+	for _, v := range slice {
+		if v == value {
+			return true
+		}
+	}
+	return false
+}

runner.go

@@ -34,6 +34,9 @@ const (
 	OutFdStderrEnvVar = "RUNNER_OUTFD_STDERR"
 
 	LogDirEnvVar = "RUNNER_LOG_DIR"
+
+	HideEnvVarsEnvVar   = "RUNNER_HIDE_ENV"
+	CensorEnvVarsEnvVar = "RUNNER_CENSOR_ENV"
 )
 
 func usage() {
@@ -47,6 +50,10 @@ func usage() {
 		"containerization situations. The container must be run with --cap-add CAP_SYS_PTRACE.\n", OutFdPidEnvVar)
 	fmt.Printf("\nOptions:\n")
 	flag.PrintDefaults()
+	fmt.Printf("\nEnvironment variable-only options:\n")
+	fmt.Printf("  %s\n    \tColon-separated list of environment variables whose values will be censored in output."+
+		"\n    \tRUNNER_SMTP_PASS is always censored.\n", CensorEnvVarsEnvVar)
+	fmt.Printf("  %s\n    \tColon-separated list of environment variables which will be entirely omitted from output.\n", HideEnvVarsEnvVar)
 	fmt.Printf("\nVersion:\n  runner %s\n", version)
 	fmt.Printf("\nGitHub:\n  https://github.com/cdzombak/runner\n")
 	fmt.Printf("\nAuthor:\n  Chris Dzombak <https://www.dzombak.com>\n")
@@ -289,8 +296,13 @@ func main() {
 	)
 	if !*hideEnv {
 		output = output + "Environment:\n"
-		for _, v := range os.Environ() {
-			output = output + fmt.Sprintf("\t%s\n", v)
+		for _, envVar := range os.Environ() {
+			envVarPair := strings.SplitN(envVar, "=", 2)
+			envVarName := envVarPair[0]
+			if shouldHideEnvVar(envVarName) {
+				continue
+			}
+			output = output + fmt.Sprintf("\t%s=%s\n", envVarName, censoredEnvVarValue(envVarName, envVarPair[1]))
 		}
 		output = output + "\n"
 	}