From a71711978e32267b194ed7850dbcd9cf6b88b999 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hannes=20K=C3=B6rber?= Date: Fri, 27 May 2022 23:37:54 +0200 Subject: [PATCH] Make sure we do not expose secrets in output This is using the RFC-8959 URI scheme to detect secrets. Thanks hackernews for the idea ;) --- e2e_tests/docker-rest/flask/github.py | 2 +- e2e_tests/docker-rest/flask/gitlab.py | 2 +- e2e_tests/helpers.py | 2 ++ e2e_tests/test_repos_find_remote.py | 28 +++++++++++++-------------- 4 files changed, 18 insertions(+), 16 deletions(-) diff --git a/e2e_tests/docker-rest/flask/github.py b/e2e_tests/docker-rest/flask/github.py index 6a1f29d..e51df42 100644 --- a/e2e_tests/docker-rest/flask/github.py +++ b/e2e_tests/docker-rest/flask/github.py @@ -12,7 +12,7 @@ def check_headers(): app.logger.error("Invalid accept header") abort(500) auth_header = request.headers.get("authorization") - if auth_header != "token authtoken": + if auth_header != "token secret-token:myauthtoken": app.logger.error("Invalid authorization header: %s", auth_header) abort( make_response( diff --git a/e2e_tests/docker-rest/flask/gitlab.py b/e2e_tests/docker-rest/flask/gitlab.py index 12f070c..bbfb26e 100644 --- a/e2e_tests/docker-rest/flask/gitlab.py +++ b/e2e_tests/docker-rest/flask/gitlab.py @@ -12,7 +12,7 @@ def check_headers(): app.logger.error("Invalid accept header") abort(500) auth_header = request.headers.get("authorization") - if auth_header != "bearer authtoken": + if auth_header != "bearer secret-token:myauthtoken": app.logger.error("Invalid authorization header: %s", auth_header) abort( make_response( diff --git a/e2e_tests/helpers.py b/e2e_tests/helpers.py index c66289b..0218890 100644 --- a/e2e_tests/helpers.py +++ b/e2e_tests/helpers.py @@ -18,6 +18,8 @@ def grm(args, cwd=None, is_invalid=False): print(f"grmcmd: {args}") print(f"stdout:\n{cmd.stdout}") print(f"stderr:\n{cmd.stderr}") + assert "secret-token:" not in cmd.stdout + assert "secret-token:" not in cmd.stderr assert "panicked" not in cmd.stderr return cmd diff --git a/e2e_tests/test_repos_find_remote.py b/e2e_tests/test_repos_find_remote.py index 40452a6..0ada999 100644 --- a/e2e_tests/test_repos_find_remote.py +++ b/e2e_tests/test_repos_find_remote.py @@ -141,7 +141,7 @@ def test_repos_find_remote_no_filter(provider, configtype, default, use_config): f.write( f""" provider = "{provider}" - token_command = "echo authtoken" + token_command = "echo secret-token:myauthtoken" root = "/myroot" """ ) @@ -157,7 +157,7 @@ def test_repos_find_remote_no_filter(provider, configtype, default, use_config): "--provider", provider, "--token-command", - "echo authtoken", + "echo secret-token:myauthtoken", "--root", "/myroot", ] @@ -193,7 +193,7 @@ def test_repos_find_remote_user_empty( with open(config.name, "w") as f: cfg = f""" provider = "{provider}" - token_command = "echo authtoken" + token_command = "echo secret-token:myauthtoken" root = "/myroot" [filters] @@ -213,7 +213,7 @@ def test_repos_find_remote_user_empty( "--provider", provider, "--token-command", - "echo authtoken", + "echo secret-token:myauthtoken", "--root", "/myroot", "--user", @@ -264,7 +264,7 @@ def test_repos_find_remote_user( with open(config.name, "w") as f: cfg = f""" provider = "{provider}" - token_command = "echo authtoken" + token_command = "echo secret-token:myauthtoken" root = "/myroot" """ @@ -300,7 +300,7 @@ def test_repos_find_remote_user( "--provider", provider, "--token-command", - "echo authtoken", + "echo secret-token:myauthtoken", "--root", "/myroot", ] @@ -378,7 +378,7 @@ def test_repos_find_remote_group_empty( with open(config.name, "w") as f: cfg = f""" provider = "{provider}" - token_command = "echo authtoken" + token_command = "echo secret-token:myauthtoken" root = "/myroot" """ @@ -403,7 +403,7 @@ def test_repos_find_remote_group_empty( "--provider", provider, "--token-command", - "echo authtoken", + "echo secret-token:myauthtoken", "--root", "/myroot", "--group", @@ -459,7 +459,7 @@ def test_repos_find_remote_group( with open(config.name, "w") as f: cfg = f""" provider = "{provider}" - token_command = "echo authtoken" + token_command = "echo secret-token:myauthtoken" root = "/myroot" """ @@ -488,7 +488,7 @@ def test_repos_find_remote_group( "--provider", provider, "--token-command", - "echo authtoken", + "echo secret-token:myauthtoken", "--root", "/myroot", "--group", @@ -575,7 +575,7 @@ def test_repos_find_remote_user_and_group( with open(config.name, "w") as f: cfg = f""" provider = "{provider}" - token_command = "echo authtoken" + token_command = "echo secret-token:myauthtoken" root = "/myroot" """ @@ -609,7 +609,7 @@ def test_repos_find_remote_user_and_group( "--provider", provider, "--token-command", - "echo authtoken", + "echo secret-token:myauthtoken", "--root", "/myroot", "--group", @@ -726,7 +726,7 @@ def test_repos_find_remote_owner( with open(config.name, "w") as f: cfg = f""" provider = "{provider}" - token_command = "echo authtoken" + token_command = "echo secret-token:myauthtoken" root = "/myroot" """ @@ -761,7 +761,7 @@ def test_repos_find_remote_owner( "--provider", provider, "--token-command", - "echo authtoken", + "echo secret-token:myauthtoken", "--root", "/myroot", "--access",