1"
2" redact_pass.vim: Switch off the 'viminfo', 'backup', 'writebackup',
3" 'swapfile', and 'undofile' globally when editing a password in pass(1).
4"
5" This is to prevent anyone being able to extract passwords from your Vim
6" cache files in the event of a compromise.
7"
8" Author: Tom Ryder <tom@sanctum.geek.nz>
9" License: Same as Vim itself
10"
11if exists('g:loaded_redact_pass') || &compatible
12  finish
13endif
14if !has('autocmd') || v:version < 600
15  finish
16endif
17let g:loaded_redact_pass = 1
18
19" Check whether we should set redacting options or not
20function! s:CheckArgsRedact()
21
22  " Ensure there's one argument and it's the matched file
23  if argc() != 1 || fnamemodify(argv(0), ':p') !=# expand('<afile>:p')
24    return
25  endif
26
27  " Disable all the leaky options globally
28  set nobackup
29  set nowritebackup
30  set noswapfile
31  set viminfo=
32  if has('persistent_undo')
33    set noundofile
34  endif
35
36  " Tell the user what we're doing so they know this worked, via a message and
37  " a global variable they can check
38  redraw
39  echomsg 'Editing password file--disabled leaky options!'
40  let g:redact_pass_redacted = 1
41
42endfunction
43
44" Auto function loads only when Vim starts up
45augroup redact_pass
46  autocmd!
47  autocmd VimEnter
48        \ /dev/shm/pass.?*/?*.txt
49        \,$TMPDIR/pass.?*/?*.txt
50        \,/tmp/pass.?*/?*.txt
51        \ call s:CheckArgsRedact()
52  " Work around macOS' dynamic symlink structure for temporary directories
53  if has('mac')
54    autocmd VimEnter
55          \ /private/var/?*/pass.?*/?*.txt
56          \ call s:CheckArgsRedact()
57  endif
58augroup END
59