Skip to content

[pat] Harden Personal Access Token name validation #14903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 24, 2022
Merged

[pat] Harden Personal Access Token name validation #14903

merged 1 commit into from
Nov 24, 2022

Conversation

easyCZ
Copy link
Member

@easyCZ easyCZ commented Nov 23, 2022

Description

Hardens Personal Access Token name validation. See regex for allowed format.

Related Issue(s)

Fixes #

How to test

Unit tests

Release Notes

NONE

Documentation

Werft options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

@easyCZ easyCZ requested review from a team November 23, 2022 21:44
@github-actions github-actions bot added team: SID team: IDE team: webapp Issue belongs to the WebApp team team: workspace Issue belongs to the Workspace team labels Nov 23, 2022
@easyCZ easyCZ mentioned this pull request Nov 23, 2022
Merged
4 tasks
andrew-farries
andrew-farries approved these changes Nov 24, 2022
View reviewed changes
Copy link
Contributor

@andrew-farries andrew-farries left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold for question

components/public-api-server/pkg/apiv1/tokens_test.go
@@ -71,6 +72,21 @@ func TestTokensService_CreatePersonalAccessTokenWithoutFeatureFlag(t *testing.T)
require.Equal(t, connect.CodeInvalidArgument, connect.CodeOf(err))
})

t.Run("invalid argument when name does not match required regex", func(t *testing.T) {
_, _, client := setupTokensService(t, withTokenFeatureDisabled)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the token service configured with the token feature disabled? Not only this test but some others here too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably copy paste. It happens to work because the validation happens irrespective of whether the feature is enabled (we only check the feature enabled after we validate we got sensible arguments). I'll follow-up on this (in another PR) to reduce the confusion

@easyCZ easyCZ force-pushed the mp/pat-validate-token-name branch from c477a65 to 29bb0c8 Compare November 24, 2022 08:38
@easyCZ easyCZ force-pushed the mp/pat-validate-token-name branch from 29bb0c8 to 9e81f96 Compare November 24, 2022 08:39
@easyCZ
Copy link
Member Author

easyCZ commented Nov 24, 2022

/unhold

@roboquat roboquat merged commit 2ce9d02 into main Nov 24, 2022
@roboquat roboquat deleted the mp/pat-validate-token-name branch November 24, 2022 08:57
@roboquat roboquat added deployed: webapp Meta team change is running in production deployed: IDE IDE change is running in production labels Nov 24, 2022
@roboquat roboquat added the deployed: workspace Workspace team change is running in production label Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew-farries andrew-farries andrew-farries approved these changes

@csweichel csweichel Awaiting requested review from csweichel

@akosyakov akosyakov Awaiting requested review from akosyakov

Assignees
No one assigned
Labels
deployed: IDE IDE change is running in production deployed: webapp Meta team change is running in production deployed: workspace Workspace team change is running in production release-note-none size/M team: IDE team: SID team: webapp Issue belongs to the WebApp team team: workspace Issue belongs to the Workspace team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@easyCZ @andrew-farries @roboquat