milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

mask credentials in malwarelist urls and prevent log poisoning when using custom urls

Browse source
This commit is contained in:
123Haynes 2026-04-03 07:02:46 +00:00
parent da9e3d475e
commit 8ee123c321
2 changed files with 75 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

52
packages/safe-chain/src/config/settings.spec.js
View file

@ -2,6 +2,7 @@ import { describe, it, beforeEach, afterEach, mock } from "node:test";
import assert from "node:assert";
let configFileContent = undefined;
let loggedMessages = [];
mock.module("fs", {
namedExports: {
existsSync: () => configFileContent !== undefined,
@ -11,6 +12,14 @@ mock.module("fs", {
},
});
mock.module("../environment/userInteraction.js", {
namedExports: {
ui: {
writeInformation: (message) => loggedMessages.push(message),
},
},
});
const {
getNpmCustomRegistries,
getPipCustomRegistries,
@ -545,6 +554,7 @@ describe("getMalwareListBaseUrl", () => {
delete process.env[envVarName];
// Reset CLI arguments state
initializeCliArguments([]);
loggedMessages = [];
});
afterEach(() => {
@ -644,4 +654,46 @@ describe("getMalwareListBaseUrl", () => {
assert.strictEqual(url, "https://cli-mirror.com");
});
it("should mask credentials in logged URL from CLI argument", () => {
initializeCliArguments(["--safe-chain-malware-list-base-url=https://user:pass@cli-mirror.com"]);
const url = getMalwareListBaseUrl();
assert.strictEqual(url, "https://user:pass@cli-mirror.com");
assert.strictEqual(loggedMessages.length, 1);
assert.strictEqual(loggedMessages[0], "Fetching malware lists from https://***@cli-mirror.com as defined by CLI argument --safe-chain-malware-list-base-url");
});
it("should mask credentials in logged URL from environment variable", () => {
process.env[envVarName] = "https://user:pass@env-mirror.com";
const url = getMalwareListBaseUrl();
assert.strictEqual(url, "https://user:pass@env-mirror.com");
assert.strictEqual(loggedMessages.length, 1);
assert.strictEqual(loggedMessages[0], "Fetching malware lists from https://***@env-mirror.com as defined by environment variable SAFE_CHAIN_MALWARE_LIST_BASE_URL");
});
it("should mask credentials in logged URL from config file", () => {
configFileContent = JSON.stringify({
malwareListBaseUrl: "https://user:pass@config-mirror.com",
});
const url = getMalwareListBaseUrl();
assert.strictEqual(url, "https://user:pass@config-mirror.com");
assert.strictEqual(loggedMessages.length, 1);
assert.strictEqual(loggedMessages[0], "Fetching malware lists from https://***@config-mirror.com as defined by config file (malwareListBaseUrl)");
});
it("should sanitize control characters in logged URL", () => {
initializeCliArguments(["--safe-chain-malware-list-base-url=https://user:pass@cli-mirror.com\nmalicious"]);
const url = getMalwareListBaseUrl();
assert.strictEqual(url, "https://user:pass@cli-mirror.com\nmalicious");
assert.strictEqual(loggedMessages.length, 1);
assert.strictEqual(loggedMessages[0], "Fetching malware lists from https://***@cli-mirror.commalicious as defined by CLI argument --safe-chain-malware-list-base-url");
});
});