From ecbe83d8d3d80d18a112efec93f8d13380996a67 Mon Sep 17 00:00:00 2001 From: Mike Donnalley Date: Thu, 20 Jun 2024 09:44:28 -0600 Subject: [PATCH 1/3] fix: prevent validations on encrypted values --- src/config/config.ts | 37 +++++++++++++++++--- test/unit/config/configTest.ts | 64 ++++++++++++++++++++++++++++------ 2 files changed, 86 insertions(+), 15 deletions(-) diff --git a/src/config/config.ts b/src/config/config.ts index dc8cac944..5b91a66bd 100644 --- a/src/config/config.ts +++ b/src/config/config.ts @@ -420,6 +420,16 @@ export class Config extends ConfigFile { return keyBy(Config.allowedProperties, 'key'); } + private static findProperty(key: string): ConfigPropertyMeta { + const property = Config.allowedProperties.find((allowedProp) => allowedProp.key === key); + + if (!property) { + throw messages.createError('unknownConfigKey', [key]); + } + + return property; + } + /** * Read, assign, and return the config contents. */ @@ -493,11 +503,8 @@ export class Config extends ConfigFile { * @param value The value of the property. */ public set>(key: K, value: ConfigProperties[K]): ConfigProperties { - const property = Config.allowedProperties.find((allowedProp) => allowedProp.key === key); + const property = Config.findProperty(key); - if (!property) { - throw messages.createError('unknownConfigKey', [key]); - } if (property.deprecated && property.newKey) { // you're trying to set a deprecated key, but we'll set the new key instead void Lifecycle.getInstance().emitWarning(messages.getMessage('deprecatedConfigKey', [key, property.newKey])); @@ -590,11 +597,31 @@ export class Config extends ConfigFile { this.forEach((key, value) => { if (this.getPropertyConfig(key).encrypted && isString(value)) { - this.set(key, ensure(encrypt ? crypto.encrypt(value) : crypto.decrypt(value))); + if (encrypt) { + this.setEncryptedProperty(key, ensure(crypto.encrypt(value))); + } else { + this.set(key, ensure(crypto.decrypt(value))); + } } }); } } + + /** + * Set an encrypted property without rerunning the validator. Should only be used by `cryptProperties` method. + */ + private setEncryptedProperty>(key: K, value: ConfigProperties[K]): ConfigProperties { + const property = Config.findProperty(key); + + if (property.deprecated && property.newKey) { + // you're trying to set a deprecated key, but we'll set the new key instead + void Lifecycle.getInstance().emitWarning(messages.getMessage('deprecatedConfigKey', [key, property.newKey])); + return this.set(property.newKey, value); + } + + super.set(property.key, value); + return this.getContents(); + } } /** diff --git a/test/unit/config/configTest.ts b/test/unit/config/configTest.ts index 4451422ad..d815f5115 100644 --- a/test/unit/config/configTest.ts +++ b/test/unit/config/configTest.ts @@ -260,12 +260,10 @@ describe('Config', () => { it('calls ConfigFile.write with encrypted values contents', async () => { const TEST_VAL = 'test'; - const writeStub = stubMethod($$.SANDBOX, ConfigFile.prototype, ConfigFile.prototype.write.name).callsFake( - async function (this: Config) { - expect(ensureString(this.get('org-isv-debugger-sid')).length).to.be.greaterThan(TEST_VAL.length); - expect(ensureString(this.get('org-isv-debugger-sid'))).to.not.equal(TEST_VAL); - } - ); + const writeStub = stubMethod($$.SANDBOX, ConfigFile.prototype, 'write').callsFake(async function (this: Config) { + expect(ensureString(this.get('org-isv-debugger-sid')).length).to.be.greaterThan(TEST_VAL.length); + expect(ensureString(this.get('org-isv-debugger-sid'))).to.not.equal(TEST_VAL); + }); const config = await Config.create(Config.getDefaultOptions(true)); config.set(OrgConfigProperties.ORG_ISV_DEBUGGER_SID, TEST_VAL); @@ -275,8 +273,8 @@ describe('Config', () => { }); it('calls ConfigFile.read with unknown key and does not throw on crypt', async () => { - stubMethod($$.SANDBOX, ConfigFile.prototype, ConfigFile.prototype.readSync.name).callsFake(async () => {}); - stubMethod($$.SANDBOX, ConfigFile.prototype, ConfigFile.prototype.read.name).callsFake(async function () { + stubMethod($$.SANDBOX, ConfigFile.prototype, 'readSync').callsFake(async () => {}); + stubMethod($$.SANDBOX, ConfigFile.prototype, 'read').callsFake(async function () { // @ts-expect-error -> this is any // eslint-disable-next-line @typescript-eslint/no-unsafe-call this.setContentsFromFileContents({ unknown: 'unknown config key and value' }); @@ -285,18 +283,64 @@ describe('Config', () => { const config = await Config.create({ isGlobal: true }); expect(config).to.exist; }); + + describe('set', () => { + let originalAllowedProperties: ConfigPropertyMeta[]; + + beforeEach(() => { + // @ts-expect-error because allowedProperties is protected + originalAllowedProperties = Config.allowedProperties; + (Config as any).allowedProperties = []; + }); + + afterEach(() => { + // @ts-expect-error because allowedProperties is protected + Config.allowedProperties = originalAllowedProperties; + }); + + it('does not rerun validation when setting an encrypted value', async () => { + const validationSpy = $$.SANDBOX.stub().callsFake( + (value) => typeof value === 'string' && value.startsWith('123') + ); + Config.addAllowedProperties([ + { + key: 'encrypted-token', + description: 'encrypted token', + encrypted: true, + input: { + validator: validationSpy, + failedMessage: 'Token must start with 123', + }, + }, + ]); + const config = await Config.create({ ...Config.getDefaultOptions(true), encryptedKeys: ['encrypted-token'] }); + try { + config.set('encrypted-token', '123456'); + // config.write will call cryptProperties(true). It's easier to call it directly than to stub the file system operations + // If it doesn't throw, then the validation was not rerun on the encrypted value + // @ts-expect-error because cryptProperties is private + await config.cryptProperties(true); + expect(validationSpy.calledOnce).to.be.true; + expect(config.get('encrypted-token')).to.be.ok; + } catch (err) { + expect(err, 'No error should have been thrown').to.be.undefined; + } + }); + }); }); describe('allowed properties', () => { let originalAllowedProperties: ConfigPropertyMeta[]; beforeEach(() => { - originalAllowedProperties = (Config as any).allowedProperties; + // @ts-expect-error because allowedProperties is protected + originalAllowedProperties = Config.allowedProperties; (Config as any).allowedProperties = []; }); afterEach(() => { - (Config as any).allowedProperties = originalAllowedProperties; + // @ts-expect-error because allowedProperties is protected + Config.allowedProperties = originalAllowedProperties; }); it('has default properties assigned', () => { From 42d7a2b1dd765630d33811ea85a13298178dab9b Mon Sep 17 00:00:00 2001 From: Mike Donnalley Date: Thu, 20 Jun 2024 09:54:28 -0600 Subject: [PATCH 2/3] chore: simplify solution --- src/config/config.ts | 37 +++++-------------------------------- 1 file changed, 5 insertions(+), 32 deletions(-) diff --git a/src/config/config.ts b/src/config/config.ts index 5b91a66bd..4cdbcce38 100644 --- a/src/config/config.ts +++ b/src/config/config.ts @@ -420,16 +420,6 @@ export class Config extends ConfigFile { return keyBy(Config.allowedProperties, 'key'); } - private static findProperty(key: string): ConfigPropertyMeta { - const property = Config.allowedProperties.find((allowedProp) => allowedProp.key === key); - - if (!property) { - throw messages.createError('unknownConfigKey', [key]); - } - - return property; - } - /** * Read, assign, and return the config contents. */ @@ -503,8 +493,11 @@ export class Config extends ConfigFile { * @param value The value of the property. */ public set>(key: K, value: ConfigProperties[K]): ConfigProperties { - const property = Config.findProperty(key); + const property = Config.allowedProperties.find((allowedProp) => allowedProp.key === key); + if (!property) { + throw messages.createError('unknownConfigKey', [key]); + } if (property.deprecated && property.newKey) { // you're trying to set a deprecated key, but we'll set the new key instead void Lifecycle.getInstance().emitWarning(messages.getMessage('deprecatedConfigKey', [key, property.newKey])); @@ -597,31 +590,11 @@ export class Config extends ConfigFile { this.forEach((key, value) => { if (this.getPropertyConfig(key).encrypted && isString(value)) { - if (encrypt) { - this.setEncryptedProperty(key, ensure(crypto.encrypt(value))); - } else { - this.set(key, ensure(crypto.decrypt(value))); - } + super.set(key, ensure(encrypt ? crypto.encrypt(value) : crypto.decrypt(value))); } }); } } - - /** - * Set an encrypted property without rerunning the validator. Should only be used by `cryptProperties` method. - */ - private setEncryptedProperty>(key: K, value: ConfigProperties[K]): ConfigProperties { - const property = Config.findProperty(key); - - if (property.deprecated && property.newKey) { - // you're trying to set a deprecated key, but we'll set the new key instead - void Lifecycle.getInstance().emitWarning(messages.getMessage('deprecatedConfigKey', [key, property.newKey])); - return this.set(property.newKey, value); - } - - super.set(property.key, value); - return this.getContents(); - } } /** From 9fc3987615c2b4c78b7cd0797bb1e490d98df55f Mon Sep 17 00:00:00 2001 From: Mike Donnalley Date: Thu, 20 Jun 2024 09:56:16 -0600 Subject: [PATCH 3/3] test: clean up --- test/unit/config/configTest.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/unit/config/configTest.ts b/test/unit/config/configTest.ts index d815f5115..8d5bac9fb 100644 --- a/test/unit/config/configTest.ts +++ b/test/unit/config/configTest.ts @@ -290,7 +290,8 @@ describe('Config', () => { beforeEach(() => { // @ts-expect-error because allowedProperties is protected originalAllowedProperties = Config.allowedProperties; - (Config as any).allowedProperties = []; + // @ts-expect-error because allowedProperties is protected + Config.allowedProperties = []; }); afterEach(() => { @@ -335,7 +336,8 @@ describe('Config', () => { beforeEach(() => { // @ts-expect-error because allowedProperties is protected originalAllowedProperties = Config.allowedProperties; - (Config as any).allowedProperties = []; + // @ts-expect-error because allowedProperties is protected + Config.allowedProperties = []; }); afterEach(() => {