starred/asciinema
1
0
Fork 0
mirror of https://github.com/asciinema/asciinema.git synced 2026-04-25 07:55:51 +03:00
Code Issues 8 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #216] Including command in asciinema recordings is a security problem #773

New issue
Closed
opened 2026-03-15 10:20:48 +03:00 by kerem · 5 comments
kerem commented 2026-03-15 10:20:48 +03:00
Owner
Copy link

Originally created by @cemerick on GitHub (Jul 17, 2017).
Original GitHub issue: https://github.com/asciinema/asciinema/issues/216

I discovered that if I provide a command e.g. asciinema rec -c 'export API_KEY=...; ./script.sh' output.json, then that command will be included verbatim in output.json in the command slot. Now that I know this, I can take care to put sensitive information (like API keys, URLs for private services, etc) in a script or scrub the output to null out the command attribute, but I'd like to suggest that command be included only when explicitly requested.

Originally created by @cemerick on GitHub (Jul 17, 2017). Original GitHub issue: https://github.com/asciinema/asciinema/issues/216 I discovered that if I provide a command e.g. `asciinema rec -c 'export API_KEY=...; ./script.sh' output.json`, then that command will be included verbatim in `output.json` in the `command` slot. Now that I know this, I can take care to put sensitive information (like API keys, URLs for private services, etc) in a script or scrub the output to null out the `command` attribute, but I'd like to suggest that `command` be included only when explicitly requested.
kerem 2026-03-15 10:20:48 +03:00
kerem commented 2026-03-15 10:21:06 +03:00
Author
Owner
Copy link

@ku1ik commented on GitHub (Jul 17, 2017):

Good catch. For some reason it never occured to me (and I am person who does care about privacy in general).

We can either disable it by default and add a switch + config file option like you suggested, or we can include command when recording to a file but drop it from JSON when uploading (both when uploading implicitly through asciinema rec or when doing it explicitly from local file through asciinema upload file.json).

<!-- gh-comment-id:315786520 --> @ku1ik commented on GitHub (Jul 17, 2017): Good catch. For some reason it never occured to me (and I am person who does care about privacy in general). We can either disable it by default and add a switch + config file option like you suggested, or we can include `command` when recording to a file but drop it from JSON when uploading (both when uploading implicitly through `asciinema rec` or when doing it explicitly from local file through `asciinema upload file.json`).
kerem commented 2026-03-15 10:21:11 +03:00
Author
Owner
Copy link

@cemerick commented on GitHub (Jul 17, 2017):

rec time is really when it matters; especially for those that are self-hosting the player (like me), the assumption is that you can just drop the JSON file anywhere as-is.

<!-- gh-comment-id:315809186 --> @cemerick commented on GitHub (Jul 17, 2017): `rec` time is really when it matters; especially for those that are self-hosting the player (like me), the assumption is that you can just drop the JSON file anywhere as-is.
kerem commented 2026-03-15 10:21:16 +03:00
Author
Owner
Copy link

@ku1ik commented on GitHub (Jul 17, 2017):

Fair enough. There's not that much use for it anyway - we display it on the recording page in place of a title when a title was not explicitly set and the recording explicitly specified the command via -c (which is less frequent case).

<!-- gh-comment-id:315836869 --> @ku1ik commented on GitHub (Jul 17, 2017): Fair enough. There's not _that_ much use for it anyway - we display it on the recording page in place of a title when a title was not explicitly set and the recording explicitly specified the command via `-c` (which is less frequent case).
kerem commented 2026-03-15 10:21:21 +03:00
Author
Owner
Copy link

@cemerick commented on GitHub (Jul 17, 2017):

In that case, it seems like you want exactly the reverse of what you suggested: exclude when writing the file, but include when uploading?

<!-- gh-comment-id:315845861 --> @cemerick commented on GitHub (Jul 17, 2017): In that case, it seems like you want exactly the reverse of what you suggested: exclude when writing the file, but include when uploading?
kerem commented 2026-03-15 10:21:27 +03:00
Author
Owner
Copy link

@ku1ik commented on GitHub (Oct 27, 2017):

This was solved in #234.

<!-- gh-comment-id:339893299 --> @ku1ik commented on GitHub (Oct 27, 2017): This was solved in #234.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/cargo/rustls-webpki-0.103.13
dependabot/cargo/rand-0.9.3
dependabot/cargo/quinn-proto-0.11.14
main
python
golang
v3.2.0
v3.1.0
v3.0.1
v3.0.0
v3.0.0-rc.5
v3.0.0-rc.4
v3.0.0-rc.3
v3.0.0-rc.2
v3.0.0-rc.1
v2.4.0
v2.3.0
v2.2.0
v2.1.0
v2.0.2
v2.0.1
v2.0.0
v1.4.0
v1.3.0
v1.2.0
v1.1.1
v1.1.0
v1.0.0
v1.0.0.rc2
v1.0.0.rc1
v0.9.9
v0.9.8
v0.9.7
v0.9.6
v0.9.5
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.1
Labels
Clear labels   
bug

   
compatibility

   
feature request

   
fit for beginners

   
help wanted

   
hosting

   
idea

   
improvement

   
packaging

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
compatibility
feature request
fit for beginners
help wanted
hosting
idea
improvement
packaging
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/asciinema#773
No description provided.