Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix: sanitize commitMessage, prTitle, branchName
In preparation for secrets PR
  • Loading branch information
rarkins committed Jul 3, 2020
1 parent b60cc2c commit 926a553
Show file tree
Hide file tree
Showing 5 changed files with 31 additions and 0 deletions.
1 change: 1 addition & 0 deletions lib/constants/error-messages.ts
Expand Up @@ -12,6 +12,7 @@ export const PLATFORM_RATE_LIMIT_EXCEEDED = 'rate-limit-exceeded';

// Config Error
export const CONFIG_VALIDATION = 'config-validation';
export const CONFIG_SECRETS_EXPOSED = 'config-secrets-exposed';

// Repository Error
export const REPOSITORY_ACCESS_FORBIDDEN = 'forbidden';
Expand Down
9 changes: 9 additions & 0 deletions lib/workers/branch/commit.ts
@@ -1,7 +1,9 @@
import is from '@sindresorhus/is';
import minimatch from 'minimatch';
import { CONFIG_SECRETS_EXPOSED } from '../../constants/error-messages';
import { logger } from '../../logger';
import { platform } from '../../platform';
import { sanitize } from '../../util/sanitize';
import { BranchConfig } from '../common';

export async function commitFilesToBranch(
Expand Down Expand Up @@ -33,6 +35,13 @@ export async function commitFilesToBranch(
logger.info('DRY-RUN: Would commit files to branch ' + config.branchName);
return null;
}
// istanbul ignore if
if (
config.branchName !== sanitize(config.branchName) ||
config.commitMessage !== sanitize(config.commitMessage)
) {
throw new Error(CONFIG_SECRETS_EXPOSED);
}
// API will know whether to create new branch or not
return platform.commitFiles({
branchName: config.branchName,
Expand Down
2 changes: 2 additions & 0 deletions lib/workers/repository/error.spec.ts
@@ -1,5 +1,6 @@
import { RenovateConfig, getConfig } from '../../../test/util';
import {
CONFIG_SECRETS_EXPOSED,
CONFIG_VALIDATION,
EXTERNAL_HOST_ERROR,
MANAGER_LOCKFILE_ERROR,
Expand Down Expand Up @@ -46,6 +47,7 @@ describe('workers/repository/error', () => {
REPOSITORY_CHANGED,
REPOSITORY_FORKED,
MANAGER_NO_PACKAGE_FILES,
CONFIG_SECRETS_EXPOSED,
CONFIG_VALIDATION,
REPOSITORY_ARCHIVED,
REPOSITORY_MIRRORED,
Expand Down
9 changes: 9 additions & 0 deletions lib/workers/repository/error.ts
@@ -1,6 +1,7 @@
import { RenovateConfig } from '../../config';

import {
CONFIG_SECRETS_EXPOSED,
CONFIG_VALIDATION,
EXTERNAL_HOST_ERROR,
MANAGER_LOCKFILE_ERROR,
Expand Down Expand Up @@ -106,6 +107,14 @@ export default async function handleError(
await raiseConfigWarningIssue(config, err);
return err.message;
}
if (err.message === CONFIG_SECRETS_EXPOSED) {
delete config.branchList; // eslint-disable-line no-param-reassign
logger.warn(
{ error: err },
'Repository aborted due to potential secrets exposure'
);
return err.message;
}
if (err instanceof ExternalHostError) {
logger.warn(
{ hostType: err.hostType, lookupName: err.lookupName, err: err.err },
Expand Down
10 changes: 10 additions & 0 deletions lib/workers/repository/updates/generate.ts
Expand Up @@ -2,7 +2,9 @@ import { DateTime } from 'luxon';
import mdTable from 'markdown-table';
import semver from 'semver';
import { mergeChildConfig } from '../../../config';
import { CONFIG_SECRETS_EXPOSED } from '../../../constants/error-messages';
import { logger } from '../../../logger';
import { sanitize } from '../../../util/sanitize';
import * as template from '../../../util/template';
import { BranchConfig, BranchUpgradeConfig } from '../../common';

Expand Down Expand Up @@ -194,6 +196,10 @@ export function generateBranchConfig(
);
upgrade.commitMessage = template.compile(upgrade.commitMessage, upgrade);
upgrade.commitMessage = template.compile(upgrade.commitMessage, upgrade);
// istanbul ignore if
if (upgrade.commitMessage !== sanitize(upgrade.commitMessage)) {
throw new Error(CONFIG_SECRETS_EXPOSED);
}
upgrade.commitMessage = upgrade.commitMessage.trim(); // Trim exterior whitespace
upgrade.commitMessage = upgrade.commitMessage.replace(/\s+/g, ' '); // Trim extra whitespace inside string
upgrade.commitMessage = upgrade.commitMessage.replace(
Expand All @@ -220,6 +226,10 @@ export function generateBranchConfig(
.compile(upgrade.prTitle, upgrade)
.trim()
.replace(/\s+/g, ' ');
// istanbul ignore if
if (upgrade.prTitle !== sanitize(upgrade.prTitle)) {
throw new Error(CONFIG_SECRETS_EXPOSED);
}
if (upgrade.toLowerCase) {
upgrade.prTitle = upgrade.prTitle.toLowerCase();
}
Expand Down

0 comments on commit 926a553

Please sign in to comment.