From 768c84e49fe4589ef0a44d934dbeab483af2a914 Mon Sep 17 00:00:00 2001
From: Rico Huijbers <rix0rrr@gmail.com>
Date: Tue, 23 Apr 2019 11:32:59 +0200
Subject: [PATCH 1/2] fix(toolkit): stop 'cdk doctor' from printing AWS_
 variables

Fixes #1931.
---
 packages/aws-cdk/lib/commands/doctor.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk/lib/commands/doctor.ts b/packages/aws-cdk/lib/commands/doctor.ts
index 8b19bb3be0cbc..cc589320293b5 100644
--- a/packages/aws-cdk/lib/commands/doctor.ts
+++ b/packages/aws-cdk/lib/commands/doctor.ts
@@ -45,7 +45,7 @@ function displayAwsEnvironmentVariables() {
   }
   print('ℹ️ AWS environment variables:');
   for (const key of keys) {
-    print(`  - ${colors.blue(key)} = ${colors.green(process.env[key]!)}`);
+    print(`  - ${colors.blue(key)} = ${colors.green(anonymizeAwsVariable(key, process.env[key]!))}`);
   }
   return true;
 }
@@ -68,3 +68,10 @@ function displayCdkEnvironmentVariables() {
   }
   return healthy;
 }
+
+function anonymizeAwsVariable(name: string, value: string) {
+  if (name === 'AWS_ACCESS_KEY_ID') { return value.substr(0, 4) + '*'.repeat(Math.max(0, value.length - 4)); }
+  if (name === 'AWS_SECRET_ACCESS_KEY') { return '*'.repeat(value.length); }
+  if (name === 'AWS_SESSION_TOKEN') { return '*'.repeat(50); }
+  return value;
+}

From 3b5fb91eee9a69622e3e84fe72b7a0fdf521bcd5 Mon Sep 17 00:00:00 2001
From: Rico Huijbers <rix0rrr@gmail.com>
Date: Tue, 23 Apr 2019 15:34:10 +0200
Subject: [PATCH 2/2] Use <redacted> instead of asterisks

---
 packages/aws-cdk/lib/commands/doctor.ts | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/packages/aws-cdk/lib/commands/doctor.ts b/packages/aws-cdk/lib/commands/doctor.ts
index cc589320293b5..94fa2d638ebef 100644
--- a/packages/aws-cdk/lib/commands/doctor.ts
+++ b/packages/aws-cdk/lib/commands/doctor.ts
@@ -70,8 +70,7 @@ function displayCdkEnvironmentVariables() {
 }
 
 function anonymizeAwsVariable(name: string, value: string) {
-  if (name === 'AWS_ACCESS_KEY_ID') { return value.substr(0, 4) + '*'.repeat(Math.max(0, value.length - 4)); }
-  if (name === 'AWS_SECRET_ACCESS_KEY') { return '*'.repeat(value.length); }
-  if (name === 'AWS_SESSION_TOKEN') { return '*'.repeat(50); }
+  if (name === 'AWS_ACCESS_KEY_ID') { return value.substr(0, 4) + '<redacted>'; }  // Show ASIA/AKIA key type, but hide identifier
+  if (name === 'AWS_SECRET_ACCESS_KEY' || name === 'AWS_SESSION_TOKEN') { return '<redacted>'; }
   return value;
 }