Display env vars with concealed value by default.

[fnando]

What

$ STELLAR_SECRET_KEY=abc STELLAR_RPC_HEADERS=a=1 STELLAR_SIGN_WITH_KEY=b target/debug/stellar env
STELLAR_ACCOUNT=default           # use
STELLAR_NETWORK=local             # use
STELLAR_RPC_HEADERS=<concealed>   # env
STELLAR_SECRET_KEY=<concealed>    # env
STELLAR_SIGN_WITH_KEY=<concealed> # env

Also, getting any non-visible value will return an empty string.

Why

https://hackerone.com/reports/3596218

Known limitations

N/A

[Copilot]

Pull request overview

This PR updates the stellar env command to avoid leaking sensitive environment variable values by default, printing <concealed> for non-visible variables and returning an empty string when a user queries a non-visible key directly.

Changes:

• Expanded the supported env var list to explicitly include secret-ish vars (e.g., SECRET_KEY, SIGN_WITH_KEY) while controlling display via a visibility allowlist.
• Updated stellar env output formatting to conceal non-visible values and suppress direct value output for non-visible keys.
• Added/updated integration tests to ensure sensitive values (RPC headers, secret key, sign-with-key) are not displayed.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
cmd/soroban-cli/src/env_vars.rs	Adds secret vars to the supported list and introduces is_visible allowlist logic.
cmd/soroban-cli/src/commands/env/mod.rs	Applies is_visible to conceal values in list output and to suppress single-key secret lookups.
cmd/soroban-cli/src/cli.rs	Simplifies env-var mapping by relying on the expanded unprefixed() list.
cmd/crates/soroban-test/tests/it/config.rs	Adds tests to confirm concealed output and absence of sensitive substrings.

[leighmcculloch]

There's not much information in the why as to why this change is being made. This seems like a pretty severe breaking change. And prevents meaningful use doesn't it? What does this protect against, anyone can simply run the env command and see all the variables. Is there a way to override to get the actual data?

[fnando]

A few things:

• Secret values shouldn't be visible (we were completely omitting them, but rpc headers was an oversight). This makes sure STELLAR_SIGN_WITH_KEY, STELLAR_RPC_HEADERS and STELLAR_SECRET_KEY are not accessible.
• It's very hard to debug the source if they're not even showing up on stellar env, so I decided to show them as <concealed>
• Future work will add --no-masking (or --reveal-concealed), so they're added to stellar env

If we think this is too much, I can remove the "concealed" part for now, and make sure it's added during the protocol upgrade release. Unfortunately, there's no way we can make this backwards compatible.

[leighmcculloch]

• It's very hard to debug the source if they're not even showing up on stellar env, so I decided to show them as <concealed>

Maybe those lines should be comments, so prefixed with a # , that way if anyone takes the output and pushes it into a shell those lines don't overwrite the current envs if they are set as env vars.

[leighmcculloch]

• Future work will add --no-masking (or --reveal-concealed), so they're added to stellar env

--reveal-concealed sgtm and the common term 'concealed' makes it easier to connect mentally.

[fnando]

Maybe those lines should be comments, so prefixed with a #

great idea!

[fnando]

done:

$ STELLAR_SECRET_KEY=abc STELLAR_RPC_HEADERS=a=1 STELLAR_SIGN_WITH_KEY=b target/debug/stellar env
STELLAR_ACCOUNT=default             # use
STELLAR_NETWORK=local               # use
# STELLAR_RPC_HEADERS=<concealed>   # env
# STELLAR_SECRET_KEY=<concealed>    # env
# STELLAR_SIGN_WITH_KEY=<concealed> # env