fix(core): Redact csrfSecret when returning oauth credentials to the frontend (#10075)

This commit is contained in:
कारतोफ्फेलस्क्रिप्ट™ 2024-07-16 18:09:56 +02:00 committed by GitHub
parent 68d5d7e2e9
commit 48f047ee2e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 71 additions and 1 deletions

View file

@ -0,0 +1,70 @@
import { CREDENTIAL_EMPTY_VALUE, type ICredentialType } from 'n8n-workflow';
import { mock } from 'jest-mock-extended';
import { CREDENTIAL_BLANKING_VALUE } from '@/constants';
import type { CredentialsEntity } from '@db/entities/CredentialsEntity';
import type { CredentialTypes } from '@/CredentialTypes';
import { CredentialsService } from '../credentials.service';
describe('CredentialsService', () => {
const credType = mock<ICredentialType>({
extends: [],
properties: [
{
name: 'clientSecret',
type: 'string',
typeOptions: { password: true },
doNotInherit: false,
},
{
name: 'accessToken',
type: 'string',
typeOptions: { password: true },
doNotInherit: false,
},
],
});
const credentialTypes = mock<CredentialTypes>();
const service = new CredentialsService(
mock(),
mock(),
mock(),
mock(),
mock(),
mock(),
credentialTypes,
mock(),
mock(),
mock(),
mock(),
);
describe('redact', () => {
it('should redact sensitive values', () => {
const credential = mock<CredentialsEntity>({
id: '123',
name: 'Test Credential',
type: 'oauth2',
});
const decryptedData = {
clientId: 'abc123',
clientSecret: 'sensitiveSecret',
accessToken: '',
oauthTokenData: 'super-secret',
csrfSecret: 'super-secret',
};
credentialTypes.getByName.calledWith(credential.type).mockReturnValue(credType);
const redactedData = service.redact(decryptedData, credential);
expect(redactedData).toEqual({
clientId: 'abc123',
clientSecret: CREDENTIAL_BLANKING_VALUE,
accessToken: CREDENTIAL_EMPTY_VALUE,
oauthTokenData: CREDENTIAL_BLANKING_VALUE,
csrfSecret: CREDENTIAL_BLANKING_VALUE,
});
});
});
});

View file

@ -407,7 +407,7 @@ export class CredentialsService {
for (const dataKey of Object.keys(copiedData)) {
// The frontend only cares that this value isn't falsy.
if (dataKey === 'oauthTokenData') {
if (dataKey === 'oauthTokenData' || dataKey === 'csrfSecret') {
if (copiedData[dataKey].toString().length > 0) {
copiedData[dataKey] = CREDENTIAL_BLANKING_VALUE;
} else {