Add parameter to obfuscate plaintext credentials in output

Originally posted on: https://github.com/bitwarden/cli/issues/123

I’d like to have an additional parameter for bw cli commands that return items which removes or overrides sensitive fields, e.g. bw get item, bw list items.

I don’t like that all credentials are being output on screen in plaintext when I don’t actually need them. I find myself grep-ing and filtering the bw cli output to find certain records more often than I need to query a specific item. By default all current and past credentials will be returned without obfuscation which is somewhat bothersome.

The following example shows my idea of what this additional parameter (e.g. --hide-plaintext, --no-plaintext) for the commands above could do:

bw list items | jq '(.[].login.password, .[].passwordHistory[]?.password, (.[].fields[]? | select(.type == 1) | .value)) |= "hidden"'

Which then returns a redacted list of items when used with bw list items or a single item when used with bw get item:

  {  
    "object": "item",
    "id": "89d15257-2367-4e2c-be7b-d15fc0e82710",
    "organizationId": "432a599a-30c7-49e7-a9f2-54dfbe6470de",
    "folderId": null,
    "type": 1,
    "name": "MyProject - Docker Registry - Deploy",
    "notes": "Application Token is stored in the Password field (for password history)",
    "favorite": false,
    "fields": [
      {
        "name": "Account Password",
+       "value": "hidden",
        "type": 1
      },
      {
        "name": "Provider",
        "value": "AWS",
        "type": 0
      }
    ],
    "login": {
      "uris": [
        {
          "match": 5,
          "uri": "registry.mydomain.net/myproject/"
        }
      ],
      "username": "svc-deploy-myproject",
+     "password": "hidden",
      "totp": null,
      "passwordRevisionDate": "2020-03-02T15:46:07.545Z"
    },
    "collectionIds": [
      "6ef0c82b-961f-3587-8de1-2b52df0e172f"
    ],
    "revisionDate": "2020-03-02T15:49:32.000Z",
    "passwordHistory": [
      {
        "lastUsedDate": "2020-03-01T12:46:07.546Z",
+       "password": "hidden"
      },
      {
        "lastUsedDate": "2020-03-02T15:46:07.545Z",
+       "password": "hidden"
      }
    ]
  },

It would be great if this could be part of bitwarden CLI itself.

I’d like to second this, and ask that the options be --show-password. ie. I’d like the default to be redacted passwords. As bw get already provides access to the decrypted fields

A nice easy way to do this that I’ve used in another application that produces JSON containing sensitive data – unicode escape the content. It’s 100% parseable by any proper JSON library, but not user readable:

Example:

{
   "password" : "\u0061\u0064\u006d\u0069\u006e"
}

That should parse as ‘admin’ fine with any json library with no code change at all - but is obviously not readable.

That obviously still includes the data in the output, but has the benefit that it could be turned on without affecting any downstream. I do think there is value to ‘not including the data at all’ though.