From 39b23d64fe5e194ee36e05314b485455dbca4776 Mon Sep 17 00:00:00 2001
From: Michael Kriese <michael.kriese@visualon.de>
Date: Tue, 3 Jan 2023 13:29:07 +0100
Subject: [PATCH] feat: better sanitize (#19646)
---
lib/config/secrets.ts | 2 +-
lib/modules/datasource/docker/index.ts | 5 +++++
lib/modules/datasource/go/index.ts | 5 ++---
lib/modules/manager/bundler/artifacts.ts | 3 ---
lib/workers/global/index.spec.ts | 8 ++++++++
lib/workers/global/index.ts | 8 ++++++++
6 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/lib/config/secrets.ts b/lib/config/secrets.ts
index 9e3037f9d9..3198a99b32 100644
--- a/lib/config/secrets.ts
+++ b/lib/config/secrets.ts
@@ -124,7 +124,7 @@ export function applySecretsToConfig(
// Add all secrets to be sanitized
if (is.plainObject(secrets)) {
for (const secret of Object.values(secrets)) {
- addSecretForSanitizing(String(secret));
+ addSecretForSanitizing(secret);
}
}
// TODO: fix types (#9610)
diff --git a/lib/modules/datasource/docker/index.ts b/lib/modules/datasource/docker/index.ts
index 624646ce1a..49c98a3802 100644
--- a/lib/modules/datasource/docker/index.ts
+++ b/lib/modules/datasource/docker/index.ts
@@ -21,6 +21,7 @@ import type {
} from '../../../util/http/types';
import { hasKey } from '../../../util/object';
import { regEx } from '../../../util/regex';
+import { addSecretForSanitizing } from '../../../util/sanitize';
import {
ensurePathPrefix,
ensureTrailingSlash,
@@ -181,6 +182,8 @@ export async function getAuthHeaders(
logger.warn('Failed to obtain docker registry token');
return null;
}
+ // sanitize token
+ addSecretForSanitizing(token);
return {
authorization: `Bearer ${token}`,
};
@@ -247,6 +250,8 @@ async function getECRAuthToken(
const data = await ecr.getAuthorizationToken({});
const authorizationToken = data?.authorizationData?.[0]?.authorizationToken;
if (authorizationToken) {
+ // sanitize token
+ addSecretForSanitizing(authorizationToken);
return authorizationToken;
}
logger.warn(
diff --git a/lib/modules/datasource/go/index.ts b/lib/modules/datasource/go/index.ts
index 007b886af2..8bd8f4629a 100644
--- a/lib/modules/datasource/go/index.ts
+++ b/lib/modules/datasource/go/index.ts
@@ -92,10 +92,9 @@ export class GoDatasource extends Datasource {
// istanbul ignore if
if (is.string(process.env.GOPROXY)) {
const uri = parseUrl(process.env.GOPROXY);
- if (uri?.username) {
- addSecretForSanitizing(uri.username, 'global');
- }
if (uri?.password) {
addSecretForSanitizing(uri.password, 'global');
+ } else if (uri?.username) {
+ addSecretForSanitizing(uri.username, 'global');
}
}
diff --git a/lib/modules/manager/bundler/artifacts.ts b/lib/modules/manager/bundler/artifacts.ts
index 317cc4e4b1..25055a1782 100644
--- a/lib/modules/manager/bundler/artifacts.ts
+++ b/lib/modules/manager/bundler/artifacts.ts
@@ -17,7 +17,6 @@ import {
} from '../../../util/fs';
import { getRepoStatus } from '../../../util/git';
import { newlineRegex, regEx } from '../../../util/regex';
-import { addSecretForSanitizing } from '../../../util/sanitize';
import { isValid } from '../../versioning/ruby';
import type {
UpdateArtifact,
@@ -146,8 +145,6 @@ export async function updateArtifacts(
// TODO: fix me, hostrules can missing all auth
const creds = getAuthenticationHeaderValue(hostRule);
authCommands.push(`${hostRule.resolvedHost} ${creds}`);
- // sanitize the authentication
- addSecretForSanitizing(creds);
}
return authCommands;
},
diff --git a/lib/workers/global/index.spec.ts b/lib/workers/global/index.spec.ts
index 73e072a1f8..f4b25e25ee 100644
--- a/lib/workers/global/index.spec.ts
+++ b/lib/workers/global/index.spec.ts
@@ -6,6 +6,7 @@ import * as _presets from '../../config/presets';
import { CONFIG_PRESETS_INVALID } from '../../constants/error-messages';
import { DockerDatasource } from '../../modules/datasource/docker';
import * as _platform from '../../modules/platform';
+import * as secrets from '../../util/sanitize';
import * as _repositoryWorker from '../repository';
import * as _configParser from './config/parse';
import * as _limits from './limits';
@@ -25,12 +26,16 @@ const platform: jest.Mocked<typeof _platform> = _platform as never;
const presets = mocked(_presets);
const limits = _limits;
+const addSecretForSanitizing = jest.spyOn(secrets, 'addSecretForSanitizing');
+
describe('workers/global/index', () => {
beforeEach(() => {
jest.resetAllMocks();
logger.getProblems.mockImplementationOnce(() => []);
configParser.parseConfigs = jest.fn();
platform.initPlatform.mockImplementation((input) => Promise.resolve(input));
+ delete process.env.AWS_SECRET_ACCESS_KEY;
+ delete process.env.AWS_SESSION_TOKEN;
});
it('handles config warnings and errors', async () => {
@@ -39,7 +44,10 @@ describe('workers/global/index', () => {
maintainYarnLock: true,
foo: 1,
});
+ process.env.AWS_SECRET_ACCESS_KEY = 'key';
+ process.env.AWS_SESSION_TOKEN = 'token';
await expect(globalWorker.start()).resolves.toBe(0);
+ expect(addSecretForSanitizing).toHaveBeenCalledTimes(2);
});
it('resolves global presets immediately', async () => {
diff --git a/lib/workers/global/index.ts b/lib/workers/global/index.ts
index e6793e63a1..d601e357c3 100644
--- a/lib/workers/global/index.ts
+++ b/lib/workers/global/index.ts
@@ -20,6 +20,7 @@ import { getProblems, logger, setMeta } from '../../logger';
import * as hostRules from '../../util/host-rules';
import * as queue from '../../util/http/queue';
import * as throttle from '../../util/http/throttle';
+import { addSecretForSanitizing } from '../../util/sanitize';
import * as repositoryWorker from '../repository';
import { autodiscoverRepositories } from './autodiscover';
import { parseConfigs } from './config/parse';
@@ -109,6 +110,13 @@ export async function resolveGlobalExtends(
export async function start(): Promise<number> {
let config: AllConfig;
try {
+ if (is.nonEmptyStringAndNotWhitespace(process.env.AWS_SECRET_ACCESS_KEY)) {
+ addSecretForSanitizing(process.env.AWS_SECRET_ACCESS_KEY, 'global');
+ }
+ if (is.nonEmptyStringAndNotWhitespace(process.env.AWS_SESSION_TOKEN)) {
+ addSecretForSanitizing(process.env.AWS_SESSION_TOKEN, 'global');
+ }
+
await instrument('config', async () => {
// read global config from file, env and cli args
config = await getGlobalConfig();
--
GitLab