[Security] Developer Environment Secrets Exposed in Logs - Credential Leak

[anshul23102]

Description

Developer environment secrets are exposed in shell logs and command history. API keys, database passwords, and authentication tokens entered as environment variables or inline commands are logged and accessible in .bash_history or /var/log files, creating a security exposure.

Steps to Reproduce

1. Developer sets up environment: export DB_PASSWORD=secret123
2. Developer runs command with inline token: curl -H "Authorization: token xyz"
3. Commands logged to .bash_history
4. Log files written to /var/log/devshell
5. Attacker gains access to logs and extracts credentials

Environment Information

• Shell: Bash/Zsh
• Log storage: .bash_history, shell logs
• Environment setup: devshell
• Secrets: API keys, tokens, passwords

Expected Behavior

• Secrets not logged to history
• Commands with secrets prefixed with space (not logged)
• Sensitive environment variables marked as secret
• Audit trail encrypted if present

Actual Behavior

• All commands logged including secrets
• Credentials visible in plain bash_history
• No filtering of sensitive data
• Logs world-readable

Code Reference

• File: src/devshell/init.sh
• Missing: Secret filtering in logging
• Missing: History exclusion for secret commands
• Missing: Log file permissions configuration

Additional Context

Level 1 security vulnerability. Fix requires:

• Filtering secrets from history
• Implementing secret tagging system
• Setting restrictive file permissions
• Documenting safe secrets practices

Suggested Labels

security, secrets-management, logging, critical, credential-exposure