op run command reads non-existent item data

keiyamazaki
keiyamazaki
Community Member
in CLI

I usually use 1Password with the op command, but I encountered a strange behavior where the op run command reads data for a non-existent item.

The steps to reproduce are as follows:
1. Create an item. At this time, set the item name in Japanese (I'm a Japanese user).
2. Move that item to another vault.
3. Use the op run command to access the item with the “pre-move” item ID.

When executing step 3, despite accessing the item with the pre-move Item ID, I am still able to retrieve the item’s information.

Below is the log from when I executed the op command.

% op item list --vault Old-Vault
ID                            TITLE                 VAULT                EDITED
ozym56n74fgvpo2z6uuyalfqvq    テストアイテム        Old-Vault            30 seconds ago

% op --cache=false read "op://Old-Vault/ozym56n74fgvpo2z6uuyalfqvq/password"
test-password-sfJddGyZZvDm!CJNJ7

% cat my2.env
TEST_ITEM_PASS_BY_ID="op://Old-Vault/ozym56n74fgvpo2z6uuyalfqvq/password"

% op --cache=false run --no-masking --env-file my2.env -- printenv TEST_ITEM_PASS_BY_ID
test-password-sfJddGyZZvDm!CJNJ7

# Move Item
% op item move ozym56n74fgvpo2z6uuyalfqvq --current-vault Old-Vault --destination-vault New-Vault
ID:          4ssn5vvleky4hcvyryjumvmo7u
Title:       テストアイテム
Vault:       New-Vault (y2haqnrzxfymqvglaimhfu5wwq)
Created:     now
Updated:     now by HZJFMULD5VFFVNZQ7TTGHOCMEQ
Favorite:    false
Version:     1
Category:    LOGIN
Fields:
  username:    test-user
  password:    [use 'op item get 4ssn5vvleky4hcvyryjumvmo7u --reveal' to reveal]

% op item list --vault Old-Vault

# Item ID has been changed
% op item list --vault New-Vault
ID                            TITLE                 VAULT                EDITED
4ssn5vvleky4hcvyryjumvmo7u    テストアイテム        New-Vault            27 seconds ago

# op read command can't read item data by old item id
% op --cache=false read "op://Old-Vault/ozym56n74fgvpo2z6uuyalfqvq/password"
[ERROR] 2024/10/16 15:36:37 could not read secret 'op://Old-Vault/ozym56n74fgvpo2z6uuyalfqvq/password': could not get item Old-Vault/ozym56n74fgvpo2z6uuyalfqvq: "ozym56n74fgvpo2z6uuyalfqvq" isn't an item in the "Old-Vault" vault.

# But op run command reads item data by old item id
% op --cache=false run --no-masking --env-file my2.env -- printenv TEST_ITEM_PASS_BY_ID
test-password-sfJddGyZZvDm!CJNJ7