afa27cf52c
Many non-secrets are actually pretty high entropy, at least according to `zxcvbn`. For example: "Hello, Pulumi Timers!" would actually cause us to say: "this looks like a secret", much in the same way that "correct horse battery staple" is high entropy according to that package. In addition to considering the entropy of the value, gosec (the linter we copied this logic from) also considers the name of the value that is being assigned to. In that spirit, let's only do this check when the config key name actually looks like it is something we'd want to warn the user about. We use the same regular expression as `gosec`. Fixes #1732
43 lines
1.7 KiB
Go
43 lines
1.7 KiB
Go
// Copyright 2016-2018, Pulumi Corporation.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/pulumi/pulumi/pkg/resource/config"
|
|
"github.com/pulumi/pulumi/pkg/tokens"
|
|
"github.com/pulumi/pulumi/pkg/workspace"
|
|
)
|
|
|
|
func TestPrettyKeyForProject(t *testing.T) {
|
|
proj := &workspace.Project{
|
|
Name: tokens.PackageName("test-package"),
|
|
RuntimeInfo: workspace.NewProjectRuntimeInfo("nodejs", nil),
|
|
}
|
|
|
|
assert.Equal(t, "foo", prettyKeyForProject(config.MustMakeKey("test-package", "foo"), proj))
|
|
assert.Equal(t, "other-package:bar", prettyKeyForProject(config.MustMakeKey("other-package", "bar"), proj))
|
|
}
|
|
|
|
func TestSecretDetection(t *testing.T) {
|
|
assert.True(t, looksLikeSecret(config.MustMakeKey("test", "token"), "1415fc1f4eaeb5e096ee58c1480016638fff29bf"))
|
|
assert.True(t, looksLikeSecret(config.MustMakeKey("test", "apiToken"), "1415fc1f4eaeb5e096ee58c1480016638fff29bf"))
|
|
|
|
// The key name does not match the, so even though this "looks like" a secret, we say it is not.
|
|
assert.False(t, looksLikeSecret(config.MustMakeKey("test", "okay"), "1415fc1f4eaeb5e096ee58c1480016638fff29bf"))
|
|
}
|