Merge branch 'gopasspw:master' into mindFlagCompleter

Author: GLobyNew

docs/commands/otp.md

@@ -5,6 +5,8 @@ The command tries to parse the password and the totp fields as an OTP URL.
 
 Note: HTOP is currently not supported.
 
+Note: If `show.safecontent` is enabled, OTP URLs are hidden from the `show` command.
+
 ## Modes of operation
 
 * Generate the current TOTP token from a valid OTP URL
@@ -17,4 +19,4 @@ Note: HTOP is currently not supported.
 | `--clip`     | `-c`    | Copy the time-based token into the clipboard.                            |
 | `--qr`       | `-q`    | Write QR code to file.                                                   |
 | `--password` | `-o`    | Only display the token. For use in scripts.                              |
-| `--snip`     | `-s`    | Try and find a QR code in the screen content to add as OTP to the entry. |
+| `--snip`     | `-s`    | Try and find a QR code in the screen content to add as OTP to the entry. |

docs/commands/show.md

@@ -108,6 +108,8 @@ The secrets are split into 3 categories:
    username, it should be enclosed in string delimiters: `username: "0123"` will always be parsed as the string `0123`
    and not as octal.
 
+By default, `safecontent` will remove the first line (the password), every line starting with `otpauth://` in the body, and every YAML values where the key is one of the following: `hotp`, `otpauth`, `password`, `totp`.
+
 Both the key-value and the YAML format support so-called "unsafe-keys", which is a key-value that allows you to specify keys that should be hidden when using `gopass show` with `gopass config safecontent` set to true.
 E.g:
 ```

internal/action/show.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"strconv"
 	"strings"
 
@@ -273,7 +274,7 @@ func (s *Action) showGetContent(ctx context.Context, sec gopass.Secret) (string,
 	// everything but the first line.
 	if config.Bool(ctx, "show.safecontent") && !ctxutil.IsForce(ctx) && ctxutil.IsShowParsing(ctx) {
 		body := showSafeContent(sec)
-		if IsAlsoClip(ctx) {
+		if IsAlsoClip(ctx) || config.Bool(ctx, "show.autoclip") {
 			return pw, body, nil
 		}
 
@@ -306,13 +307,21 @@ func showSafeContent(sec gopass.Secret) string {
 		}
 	}
 
-	sb.WriteString(sec.Body())
+	for _, l := range strings.Split(sec.Body(), "\n") {
+		if strings.HasPrefix(l, "otpauth://") {
+			sb.WriteString(fmt.Sprintf("\notpauth://%s", randAsterisk()))
+
+			continue
+		}
+		sb.WriteString(l)
+	}
 
 	return sb.String()
 }
 
 func isUnsafeKey(key string, sec gopass.Secret) bool {
-	if strings.ToLower(key) == "password" {
+	duks := []string{"hotp", "otpauth", "password", "totp"}
+	if slices.Contains(duks, key) {
 		return true
 	}
 

internal/action/show_test.go

@@ -119,6 +119,33 @@ func TestShowMulti(t *testing.T) {
 		buf.Reset()
 	})
 
+	t.Run("show entry with otpauth field with safecontent enabled", func(t *testing.T) {
+		require.NoError(t, act.insertStdin(ctx, "otpauth", []byte("123\n---\notpauth://totp/WEBSITE:@USER?secret=SECRET&issuer=GoPass"), false))
+		buf.Reset()
+
+		c := gptest.CliCtx(ctx, t, "otpauth")
+		require.NoError(t, act.Show(c))
+		assert.Contains(t, buf.String(), "otpauth://*****")
+		buf.Reset()
+	})
+
+	t.Run("show entry with otp as keys field with safecontent enabled", func(t *testing.T) {
+		sec := secrets.NewAKV()
+		sec.SetPassword("123")
+		require.NoError(t, sec.Set("otpauth", "otpauth://totp/WEBSITE:@USER?secret=SECRET&issuer=GoPass"))
+		require.NoError(t, sec.Set("totp", "otpauth://totp/WEBSITE:@USER?secret=SECRET&issuer=GoPass"))
+		require.NoError(t, sec.Set("hotp", "otpauth://totp/WEBSITE:@USER?secret=SECRET&issuer=GoPass"))
+		require.NoError(t, act.Store.Set(ctx, "otpauthKeys", sec))
+		buf.Reset()
+
+		c := gptest.CliCtx(ctx, t, "otpauthKeys")
+		require.NoError(t, act.Show(c))
+		assert.Contains(t, buf.String(), "otpauth: *****")
+		assert.Contains(t, buf.String(), "hotp: *****")
+		assert.Contains(t, buf.String(), "totp: *****")
+		buf.Reset()
+	})
+
 	t.Run("show twoliner with safecontent enabled", func(t *testing.T) {
 		c := gptest.CliCtx(ctx, t, "bar/baz")
 
@@ -315,6 +342,18 @@ func TestShowAutoClip(t *testing.T) {
 		stdoutBuf.Reset()
 		stderrBuf.Reset()
 	})
+
+	// gopass show foo with show.autoclip and show.safecontent true
+	// -> ONLY Copy to clipboard
+	t.Run("show foo with safecontent and autoclip enabled", func(t *testing.T) {
+		require.NoError(t, act.cfg.Set("", "show.autoclip", "true"))
+		require.NoError(t, act.cfg.Set("", "show.safecontent", "true"))
+		c := gptest.CliCtx(ctx, t, "foo")
+		require.NoError(t, act.Show(c))
+		assert.Contains(t, stderrBuf.String(), "WARNING")
+		assert.NotContains(t, stdoutBuf.String(), "secret")
+		stdoutBuf.Reset()
+	})
 }
 
 func TestShowHandleRevision(t *testing.T) {

internal/create/wizard.go

@@ -225,7 +225,7 @@ func mkActFunc(tpl Template, s *root.Store, cb ActionCallback) func(context.Cont
 				if v.Min > 0 && len(sv) < v.Min {
 					return fmt.Errorf("%s is too short (needs %d)", v.Name, v.Min)
 				}
-				if v.Max > 0 && len(sv) > v.Min {
+				if v.Max > 0 && len(sv) > v.Max {
 					return fmt.Errorf("%s is too long (at most %d)", v.Name, v.Max)
 				}
 				if wantForName[k] {