Make sure we do not expose secrets in output

This is using the RFC-8959 URI scheme to detect secrets. Thanks hackernews for the idea ;)
2022-05-27 23:37:54 +02:00
parent 90d188e01e
commit a71711978e
4 changed files with 18 additions and 16 deletions
--- a/e2e_tests/docker-rest/flask/github.py
+++ b/e2e_tests/docker-rest/flask/github.py
@@ -12,7 +12,7 @@ def check_headers():
        app.logger.error("Invalid accept header")
        abort(500)
    auth_header = request.headers.get("authorization")
-    if auth_header != "token authtoken":
+    if auth_header != "token secret-token:myauthtoken":
        app.logger.error("Invalid authorization header: %s", auth_header)
        abort(
            make_response(
--- a/e2e_tests/docker-rest/flask/gitlab.py
+++ b/e2e_tests/docker-rest/flask/gitlab.py
@@ -12,7 +12,7 @@ def check_headers():
        app.logger.error("Invalid accept header")
        abort(500)
    auth_header = request.headers.get("authorization")
-    if auth_header != "bearer authtoken":
+    if auth_header != "bearer secret-token:myauthtoken":
        app.logger.error("Invalid authorization header: %s", auth_header)
        abort(
            make_response(
--- a/e2e_tests/helpers.py
+++ b/e2e_tests/helpers.py
@@ -18,6 +18,8 @@ def grm(args, cwd=None, is_invalid=False):
    print(f"grmcmd: {args}")
    print(f"stdout:\n{cmd.stdout}")
    print(f"stderr:\n{cmd.stderr}")
+    assert "secret-token:" not in cmd.stdout
+    assert "secret-token:" not in cmd.stderr
    assert "panicked" not in cmd.stderr
    return cmd

--- a/e2e_tests/test_repos_find_remote.py
+++ b/e2e_tests/test_repos_find_remote.py
@@ -141,7 +141,7 @@ def test_repos_find_remote_no_filter(provider, configtype, default, use_config):
                f.write(
                    f"""
                provider = "{provider}"
-                token_command = "echo authtoken"
+                token_command = "echo secret-token:myauthtoken"
                root = "/myroot"
                """
                )
@@ -157,7 +157,7 @@ def test_repos_find_remote_no_filter(provider, configtype, default, use_config):
            "--provider",
            provider,
            "--token-command",
-            "echo authtoken",
+            "echo secret-token:myauthtoken",
            "--root",
            "/myroot",
        ]
@@ -193,7 +193,7 @@ def test_repos_find_remote_user_empty(
            with open(config.name, "w") as f:
                cfg = f"""
                provider = "{provider}"
-                token_command = "echo authtoken"
+                token_command = "echo secret-token:myauthtoken"
                root = "/myroot"

                [filters]
@@ -213,7 +213,7 @@ def test_repos_find_remote_user_empty(
            "--provider",
            provider,
            "--token-command",
-            "echo authtoken",
+            "echo secret-token:myauthtoken",
            "--root",
            "/myroot",
            "--user",
@@ -264,7 +264,7 @@ def test_repos_find_remote_user(
            with open(config.name, "w") as f:
                cfg = f"""
                provider = "{provider}"
-                token_command = "echo authtoken"
+                token_command = "echo secret-token:myauthtoken"
                root = "/myroot"
                """

@@ -300,7 +300,7 @@ def test_repos_find_remote_user(
            "--provider",
            provider,
            "--token-command",
-            "echo authtoken",
+            "echo secret-token:myauthtoken",
            "--root",
            "/myroot",
        ]
@@ -378,7 +378,7 @@ def test_repos_find_remote_group_empty(
            with open(config.name, "w") as f:
                cfg = f"""
                provider = "{provider}"
-                token_command = "echo authtoken"
+                token_command = "echo secret-token:myauthtoken"
                root = "/myroot"
                """

@@ -403,7 +403,7 @@ def test_repos_find_remote_group_empty(
            "--provider",
            provider,
            "--token-command",
-            "echo authtoken",
+            "echo secret-token:myauthtoken",
            "--root",
            "/myroot",
            "--group",
@@ -459,7 +459,7 @@ def test_repos_find_remote_group(
            with open(config.name, "w") as f:
                cfg = f"""
                provider = "{provider}"
-                token_command = "echo authtoken"
+                token_command = "echo secret-token:myauthtoken"
                root = "/myroot"
                """

@@ -488,7 +488,7 @@ def test_repos_find_remote_group(
            "--provider",
            provider,
            "--token-command",
-            "echo authtoken",
+            "echo secret-token:myauthtoken",
            "--root",
            "/myroot",
            "--group",
@@ -575,7 +575,7 @@ def test_repos_find_remote_user_and_group(
            with open(config.name, "w") as f:
                cfg = f"""
                provider = "{provider}"
-                token_command = "echo authtoken"
+                token_command = "echo secret-token:myauthtoken"
                root = "/myroot"
                """

@@ -609,7 +609,7 @@ def test_repos_find_remote_user_and_group(
            "--provider",
            provider,
            "--token-command",
-            "echo authtoken",
+            "echo secret-token:myauthtoken",
            "--root",
            "/myroot",
            "--group",
@@ -726,7 +726,7 @@ def test_repos_find_remote_owner(
            with open(config.name, "w") as f:
                cfg = f"""
                provider = "{provider}"
-                token_command = "echo authtoken"
+                token_command = "echo secret-token:myauthtoken"
                root = "/myroot"
                """

@@ -761,7 +761,7 @@ def test_repos_find_remote_owner(
            "--provider",
            provider,
            "--token-command",
-            "echo authtoken",
+            "echo secret-token:myauthtoken",
            "--root",
            "/myroot",
            "--access",