Option to avoid leaking sensitive environment variable values in help text

[infomorphic-matti]

It is often the case that sensitive details (API keys, cryptographic tokens, etc.) are passed to a program through environment variables, where it is sometimes desirable to pass one-off values for this on the command-line (it's bad to do this a lot because other processes can see it, but it's a useful one-off thing or in a trusted environment).

Currently, when using the .env modifier, if that environment variable is defined and --help is called, the value of the environment variable is printed as part of the string that documents default values, next to the arguments.

Perhaps it would be a good idea to add a .env_hidden function or similar that is like .env but does not emit the value of the environment variable in help strings or errors (I don't know if it emits in errors specifically, though, because I've not tried that, but I have seen it in helpstrings, hence this issue) when it's defined? I might of course be missing a way to override the string representing default values, though, but I don't think so.

On another note, I just want to express my appreciation for this crate, it's been wonderful to use.

[pacak]

There's no ready made hidden env option, but you can make one yourself: you want to have a parser that returns a String taken from some option --secret or env variable SECRET without showing contents of that secret. So you make one option that takes both command line argument and env variable and hide it and make a second option that takes only the command line argument with a help message mentioning the env variable in any way you like, then just combine those two as alternatives with construct! and use resulting parser to populate a field in your options either directly if you use combinatoric API or via external if you use derive API.

[infomorphic-matti]

Thank you! I didn't think of that.

[pacak]

Now you can write something like this and it won't show up in the help message.

fn secret() -> impl Parser<String> {
    let secret_env = env("SECRET").argument("SECRET");
    let secret_arg = long("secret").help("Secret key, you can also use env variable SECRET").argument("SECRET");
    construct!([secret_env, secret_arg])
}