Make sure we do not expose secrets in output
This is using the RFC-8959 URI scheme to detect secrets. Thanks hackernews for the idea ;)
This commit is contained in:
@@ -12,7 +12,7 @@ def check_headers():
|
|||||||
app.logger.error("Invalid accept header")
|
app.logger.error("Invalid accept header")
|
||||||
abort(500)
|
abort(500)
|
||||||
auth_header = request.headers.get("authorization")
|
auth_header = request.headers.get("authorization")
|
||||||
if auth_header != "token authtoken":
|
if auth_header != "token secret-token:myauthtoken":
|
||||||
app.logger.error("Invalid authorization header: %s", auth_header)
|
app.logger.error("Invalid authorization header: %s", auth_header)
|
||||||
abort(
|
abort(
|
||||||
make_response(
|
make_response(
|
||||||
|
|||||||
@@ -12,7 +12,7 @@ def check_headers():
|
|||||||
app.logger.error("Invalid accept header")
|
app.logger.error("Invalid accept header")
|
||||||
abort(500)
|
abort(500)
|
||||||
auth_header = request.headers.get("authorization")
|
auth_header = request.headers.get("authorization")
|
||||||
if auth_header != "bearer authtoken":
|
if auth_header != "bearer secret-token:myauthtoken":
|
||||||
app.logger.error("Invalid authorization header: %s", auth_header)
|
app.logger.error("Invalid authorization header: %s", auth_header)
|
||||||
abort(
|
abort(
|
||||||
make_response(
|
make_response(
|
||||||
|
|||||||
@@ -18,6 +18,8 @@ def grm(args, cwd=None, is_invalid=False):
|
|||||||
print(f"grmcmd: {args}")
|
print(f"grmcmd: {args}")
|
||||||
print(f"stdout:\n{cmd.stdout}")
|
print(f"stdout:\n{cmd.stdout}")
|
||||||
print(f"stderr:\n{cmd.stderr}")
|
print(f"stderr:\n{cmd.stderr}")
|
||||||
|
assert "secret-token:" not in cmd.stdout
|
||||||
|
assert "secret-token:" not in cmd.stderr
|
||||||
assert "panicked" not in cmd.stderr
|
assert "panicked" not in cmd.stderr
|
||||||
return cmd
|
return cmd
|
||||||
|
|
||||||
|
|||||||
@@ -141,7 +141,7 @@ def test_repos_find_remote_no_filter(provider, configtype, default, use_config):
|
|||||||
f.write(
|
f.write(
|
||||||
f"""
|
f"""
|
||||||
provider = "{provider}"
|
provider = "{provider}"
|
||||||
token_command = "echo authtoken"
|
token_command = "echo secret-token:myauthtoken"
|
||||||
root = "/myroot"
|
root = "/myroot"
|
||||||
"""
|
"""
|
||||||
)
|
)
|
||||||
@@ -157,7 +157,7 @@ def test_repos_find_remote_no_filter(provider, configtype, default, use_config):
|
|||||||
"--provider",
|
"--provider",
|
||||||
provider,
|
provider,
|
||||||
"--token-command",
|
"--token-command",
|
||||||
"echo authtoken",
|
"echo secret-token:myauthtoken",
|
||||||
"--root",
|
"--root",
|
||||||
"/myroot",
|
"/myroot",
|
||||||
]
|
]
|
||||||
@@ -193,7 +193,7 @@ def test_repos_find_remote_user_empty(
|
|||||||
with open(config.name, "w") as f:
|
with open(config.name, "w") as f:
|
||||||
cfg = f"""
|
cfg = f"""
|
||||||
provider = "{provider}"
|
provider = "{provider}"
|
||||||
token_command = "echo authtoken"
|
token_command = "echo secret-token:myauthtoken"
|
||||||
root = "/myroot"
|
root = "/myroot"
|
||||||
|
|
||||||
[filters]
|
[filters]
|
||||||
@@ -213,7 +213,7 @@ def test_repos_find_remote_user_empty(
|
|||||||
"--provider",
|
"--provider",
|
||||||
provider,
|
provider,
|
||||||
"--token-command",
|
"--token-command",
|
||||||
"echo authtoken",
|
"echo secret-token:myauthtoken",
|
||||||
"--root",
|
"--root",
|
||||||
"/myroot",
|
"/myroot",
|
||||||
"--user",
|
"--user",
|
||||||
@@ -264,7 +264,7 @@ def test_repos_find_remote_user(
|
|||||||
with open(config.name, "w") as f:
|
with open(config.name, "w") as f:
|
||||||
cfg = f"""
|
cfg = f"""
|
||||||
provider = "{provider}"
|
provider = "{provider}"
|
||||||
token_command = "echo authtoken"
|
token_command = "echo secret-token:myauthtoken"
|
||||||
root = "/myroot"
|
root = "/myroot"
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@@ -300,7 +300,7 @@ def test_repos_find_remote_user(
|
|||||||
"--provider",
|
"--provider",
|
||||||
provider,
|
provider,
|
||||||
"--token-command",
|
"--token-command",
|
||||||
"echo authtoken",
|
"echo secret-token:myauthtoken",
|
||||||
"--root",
|
"--root",
|
||||||
"/myroot",
|
"/myroot",
|
||||||
]
|
]
|
||||||
@@ -378,7 +378,7 @@ def test_repos_find_remote_group_empty(
|
|||||||
with open(config.name, "w") as f:
|
with open(config.name, "w") as f:
|
||||||
cfg = f"""
|
cfg = f"""
|
||||||
provider = "{provider}"
|
provider = "{provider}"
|
||||||
token_command = "echo authtoken"
|
token_command = "echo secret-token:myauthtoken"
|
||||||
root = "/myroot"
|
root = "/myroot"
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@@ -403,7 +403,7 @@ def test_repos_find_remote_group_empty(
|
|||||||
"--provider",
|
"--provider",
|
||||||
provider,
|
provider,
|
||||||
"--token-command",
|
"--token-command",
|
||||||
"echo authtoken",
|
"echo secret-token:myauthtoken",
|
||||||
"--root",
|
"--root",
|
||||||
"/myroot",
|
"/myroot",
|
||||||
"--group",
|
"--group",
|
||||||
@@ -459,7 +459,7 @@ def test_repos_find_remote_group(
|
|||||||
with open(config.name, "w") as f:
|
with open(config.name, "w") as f:
|
||||||
cfg = f"""
|
cfg = f"""
|
||||||
provider = "{provider}"
|
provider = "{provider}"
|
||||||
token_command = "echo authtoken"
|
token_command = "echo secret-token:myauthtoken"
|
||||||
root = "/myroot"
|
root = "/myroot"
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@@ -488,7 +488,7 @@ def test_repos_find_remote_group(
|
|||||||
"--provider",
|
"--provider",
|
||||||
provider,
|
provider,
|
||||||
"--token-command",
|
"--token-command",
|
||||||
"echo authtoken",
|
"echo secret-token:myauthtoken",
|
||||||
"--root",
|
"--root",
|
||||||
"/myroot",
|
"/myroot",
|
||||||
"--group",
|
"--group",
|
||||||
@@ -575,7 +575,7 @@ def test_repos_find_remote_user_and_group(
|
|||||||
with open(config.name, "w") as f:
|
with open(config.name, "w") as f:
|
||||||
cfg = f"""
|
cfg = f"""
|
||||||
provider = "{provider}"
|
provider = "{provider}"
|
||||||
token_command = "echo authtoken"
|
token_command = "echo secret-token:myauthtoken"
|
||||||
root = "/myroot"
|
root = "/myroot"
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@@ -609,7 +609,7 @@ def test_repos_find_remote_user_and_group(
|
|||||||
"--provider",
|
"--provider",
|
||||||
provider,
|
provider,
|
||||||
"--token-command",
|
"--token-command",
|
||||||
"echo authtoken",
|
"echo secret-token:myauthtoken",
|
||||||
"--root",
|
"--root",
|
||||||
"/myroot",
|
"/myroot",
|
||||||
"--group",
|
"--group",
|
||||||
@@ -726,7 +726,7 @@ def test_repos_find_remote_owner(
|
|||||||
with open(config.name, "w") as f:
|
with open(config.name, "w") as f:
|
||||||
cfg = f"""
|
cfg = f"""
|
||||||
provider = "{provider}"
|
provider = "{provider}"
|
||||||
token_command = "echo authtoken"
|
token_command = "echo secret-token:myauthtoken"
|
||||||
root = "/myroot"
|
root = "/myroot"
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@@ -761,7 +761,7 @@ def test_repos_find_remote_owner(
|
|||||||
"--provider",
|
"--provider",
|
||||||
provider,
|
provider,
|
||||||
"--token-command",
|
"--token-command",
|
||||||
"echo authtoken",
|
"echo secret-token:myauthtoken",
|
||||||
"--root",
|
"--root",
|
||||||
"/myroot",
|
"/myroot",
|
||||||
"--access",
|
"--access",
|
||||||
|
|||||||
Reference in New Issue
Block a user