From e103b291ad86f5048c401328f995ee871da6d17a Mon Sep 17 00:00:00 2001 From: Piotr Sarnacki Date: Wed, 10 Sep 2014 10:46:13 +0200 Subject: [PATCH] Reset value when env var is changed from private to public When env var is changed from private to public, we didn't nullify it, so someone doing that could miss exposing it. To minimise the risk of exposing any secure info we'll now nullify the value. --- lib/travis/api/app/endpoint/env_vars.rb | 31 +++++++++++++++++++ .../api/app/endpoint/setting_endpoint.rb | 14 ++++++--- spec/integration/v2/settings/env_vars_spec.rb | 14 +++++++++ 3 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 lib/travis/api/app/endpoint/env_vars.rb diff --git a/lib/travis/api/app/endpoint/env_vars.rb b/lib/travis/api/app/endpoint/env_vars.rb new file mode 100644 index 00000000..0bed10fe --- /dev/null +++ b/lib/travis/api/app/endpoint/env_vars.rb @@ -0,0 +1,31 @@ +require 'travis/api/app' +require 'travis/api/app/endpoint/setting_endpoint' + +class Travis::Api::App + class Endpoint + class EnvVars < SettingsEndpoint + define_method(:name) { :env_vars } + define_routes! + + def update + data = JSON.parse(request.body.read)[singular_name] + previously_public = record.public? + record.update(data) + + # if we update from private to public reset value + if !previously_public && record.public? + record.value = nil + end + + if record.valid? + repo_settings.save + respond_with(record, type: singular_name, version: :v2) + else + status 422 + respond_with(record, type: :validation_error, version: :v2) + end + end + + end + end +end diff --git a/lib/travis/api/app/endpoint/setting_endpoint.rb b/lib/travis/api/app/endpoint/setting_endpoint.rb index dc1fb13a..44aca127 100644 --- a/lib/travis/api/app/endpoint/setting_endpoint.rb +++ b/lib/travis/api/app/endpoint/setting_endpoint.rb @@ -21,13 +21,17 @@ class Travis::Api::App def create_settings_class(name) klass = Class.new(self) do define_method(:name) { name } - get("/", scope: :private) do index end - get("/:id", scope: :private) do show end - post("/", scope: :private) do create end - patch("/:id", scope: :private) do update end - delete("/:id", scope: :private) do destroy end + define_routes! end end + + def define_routes! + get("/", scope: :private) do index end + get("/:id", scope: :private) do show end + post("/", scope: :private) do create end + patch("/:id", scope: :private) do update end + delete("/:id", scope: :private) do destroy end + end end # Rails style methods for easy overriding diff --git a/spec/integration/v2/settings/env_vars_spec.rb b/spec/integration/v2/settings/env_vars_spec.rb index 90a7d460..5c486f02 100644 --- a/spec/integration/v2/settings/env_vars_spec.rb +++ b/spec/integration/v2/settings/env_vars_spec.rb @@ -83,6 +83,20 @@ describe Travis::Api::App::SettingsEndpoint do end describe 'PATCH /settings/env_vars/:id' do + it 'resets value if private key is made public' do + settings = repo.settings + env_var = settings.env_vars.create(name: 'FOO', value: 'bar') + settings.save + + body = { env_var: { public: true } }.to_json + response = patch "/settings/env_vars/#{env_var.id}?repository_id=#{repo.id}", body, headers + json = JSON.parse(response.body) + json['env_var']['value'].should be_nil + + updated_env_var = repo.reload.settings.env_vars.find(env_var.id) + updated_env_var.value.decrypt.should be_nil + end + it 'should update a key' do settings = repo.settings env_var = settings.env_vars.create(name: 'FOO', value: 'bar')