Scrub folder configuration data when persisting to disk

Before writing synced folder configuration data to the local data directory run content through the credential scrubber to remove any sensitive content before write.
2019-04-25 10:31:48 -07:00 · 2019-04-25 10:31:48 -07:00 · 5b94bbb49b
parent 92e6a29bfc
commit 5b94bbb49b
2 changed files with 67 additions and 1 deletions
--- a/lib/vagrant/action/builtin/mixin_synced_folders.rb
+++ b/lib/vagrant/action/builtin/mixin_synced_folders.rb
@ -97,8 +97,14 @@ module Vagrant
            end
          end

+          folder_data = JSON.dump(folders)
+
+          # Scrub any register credentials from the synced folders
+          # configuration data to prevent accidental leakage
+          folder_data = Util::CredentialScrubber.desensitize(folder_data)
+
          machine.data_dir.join("synced_folders").open("w") do |f|
-            f.write(JSON.dump(folders))
+            f.write(folder_data)
          end
        end

--- a/test/unit/vagrant/action/builtin/mixin_synced_folders_test.rb
+++ b/test/unit/vagrant/action/builtin/mixin_synced_folders_test.rb
@ -256,6 +256,66 @@ describe Vagrant::Action::Builtin::MixinSyncedFolders do
    end
  end

+  describe "#save_synced_folders" do
+    let(:folders) { {} }
+    let(:options) { {} }
+    let(:output_file) { double("output_file") }
+
+    before do
+      allow(machine.data_dir).to receive(:join).with("synced_folders").
+        and_return(output_file)
+      allow(output_file).to receive(:open).and_yield(output_file)
+      allow(output_file).to receive(:write)
+    end
+
+    it "should write empty hash to file" do
+      expect(output_file).to receive(:write).with("{}")
+      subject.save_synced_folders(machine, folders, options)
+    end
+
+    it "should call credential scrubber before writing file" do
+      expect(Vagrant::Util::CredentialScrubber).to receive(:desensitize).and_call_original
+      subject.save_synced_folders(machine, folders, options)
+    end
+
+    context "when folder data is defined" do
+      let(:folders) {
+        {"root" => {
+          hostpath: "foo", type: "nfs", nfs__foo: "bar"}}
+      }
+
+      it "should write folder information to file" do
+        expect(output_file).to receive(:write).with(JSON.dump(folders))
+        subject.save_synced_folders(machine, folders, options)
+      end
+
+      context "when folder data configuration includes sensitive data" do
+        let(:password) { "VAGRANT_TEST_PASSWORD" }
+
+        before do
+          folders["root"][:folder_password] = password
+          Vagrant::Util::CredentialScrubber.sensitive(password)
+        end
+
+        after { Vagrant::Util::CredentialScrubber.unsensitive(password) }
+
+        it "should not include password when writing file" do
+          expect(output_file).to receive(:write) do |content|
+            expect(content).not_to include(password)
+          end
+          subject.save_synced_folders(machine, folders, options)
+        end
+
+        it "should mask password content when writing file" do
+          expect(output_file).to receive(:write) do |content|
+            expect(content).to include(Vagrant::Util::CredentialScrubber::REPLACEMENT_TEXT)
+          end
+          subject.save_synced_folders(machine, folders, options)
+        end
+      end
+    end
+  end
+
  describe "#synced_folders_diff" do
    it "sees two equal " do
      one = {