suzanne.soy/travis-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reset value when env var is changed from private to public

Browse Source 
When env var is changed from private to public, we didn't nullify it, so
someone doing that could miss exposing it. To minimise the risk of
exposing any secure info we'll now nullify the value.
This commit is contained in:
Piotr Sarnacki 2014-09-10 10:46:13 +02:00
parent 3e33ab15d5
commit e103b291ad
3 changed files with 54 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
lib/travis/api/app/endpoint/env_vars.rb Normal file
View File

@ -0,0 +1,31 @@
require 'travis/api/app'
require 'travis/api/app/endpoint/setting_endpoint'
class Travis::Api::App
class Endpoint
class EnvVars < SettingsEndpoint
define_method(:name) { :env_vars }
define_routes!
def update
data = JSON.parse(request.body.read)[singular_name]
previously_public = record.public?
record.update(data)
# if we update from private to public reset value
if !previously_public && record.public?
record.value = nil
end
if record.valid?
repo_settings.save
respond_with(record, type: singular_name, version: :v2)
else
status 422
respond_with(record, type: :validation_error, version: :v2)
end
end
end
end
end

6
lib/travis/api/app/endpoint/setting_endpoint.rb
View File

@ -21,6 +21,11 @@ class Travis::Api::App
def create_settings_class(name) def create_settings_class(name)
klass = Class.new(self) do klass = Class.new(self) do
define_method(:name) { name } define_method(:name) { name }
define_routes!
end
end
def define_routes!
get("/", scope: :private) do index end get("/", scope: :private) do index end
get("/:id", scope: :private) do show end get("/:id", scope: :private) do show end
post("/", scope: :private) do create end post("/", scope: :private) do create end
@ -28,7 +33,6 @@ class Travis::Api::App
delete("/:id", scope: :private) do destroy end delete("/:id", scope: :private) do destroy end
end end
end end
end
# Rails style methods for easy overriding # Rails style methods for easy overriding
def index def index

14
spec/integration/v2/settings/env_vars_spec.rb
View File

@ -83,6 +83,20 @@ describe Travis::Api::App::SettingsEndpoint do
end end
describe 'PATCH /settings/env_vars/:id' do describe 'PATCH /settings/env_vars/:id' do
it 'resets value if private key is made public' do
settings = repo.settings
env_var = settings.env_vars.create(name: 'FOO', value: 'bar')
settings.save
body = { env_var: { public: true } }.to_json
response = patch "/settings/env_vars/#{env_var.id}?repository_id=#{repo.id}", body, headers
json = JSON.parse(response.body)
json['env_var']['value'].should be_nil
updated_env_var = repo.reload.settings.env_vars.find(env_var.id)
updated_env_var.value.decrypt.should be_nil
end
it 'should update a key' do it 'should update a key' do
settings = repo.settings settings = repo.settings
env_var = settings.env_vars.create(name: 'FOO', value: 'bar') env_var = settings.env_vars.create(name: 'FOO', value: 'bar')