From 5b94bbb49bcebe033f79007661e35315880a4493 Mon Sep 17 00:00:00 2001 From: Chris Roberts Date: Thu, 25 Apr 2019 10:31:48 -0700 Subject: [PATCH] Scrub folder configuration data when persisting to disk Before writing synced folder configuration data to the local data directory run content through the credential scrubber to remove any sensitive content before write. --- .../action/builtin/mixin_synced_folders.rb | 8 ++- .../builtin/mixin_synced_folders_test.rb | 60 +++++++++++++++++++ 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/lib/vagrant/action/builtin/mixin_synced_folders.rb b/lib/vagrant/action/builtin/mixin_synced_folders.rb index 08fa867a9..c2d8aabb5 100644 --- a/lib/vagrant/action/builtin/mixin_synced_folders.rb +++ b/lib/vagrant/action/builtin/mixin_synced_folders.rb @@ -97,8 +97,14 @@ module Vagrant end end + folder_data = JSON.dump(folders) + + # Scrub any register credentials from the synced folders + # configuration data to prevent accidental leakage + folder_data = Util::CredentialScrubber.desensitize(folder_data) + machine.data_dir.join("synced_folders").open("w") do |f| - f.write(JSON.dump(folders)) + f.write(folder_data) end end diff --git a/test/unit/vagrant/action/builtin/mixin_synced_folders_test.rb b/test/unit/vagrant/action/builtin/mixin_synced_folders_test.rb index ff7a6e7c5..e07223753 100644 --- a/test/unit/vagrant/action/builtin/mixin_synced_folders_test.rb +++ b/test/unit/vagrant/action/builtin/mixin_synced_folders_test.rb @@ -256,6 +256,66 @@ describe Vagrant::Action::Builtin::MixinSyncedFolders do end end + describe "#save_synced_folders" do + let(:folders) { {} } + let(:options) { {} } + let(:output_file) { double("output_file") } + + before do + allow(machine.data_dir).to receive(:join).with("synced_folders"). + and_return(output_file) + allow(output_file).to receive(:open).and_yield(output_file) + allow(output_file).to receive(:write) + end + + it "should write empty hash to file" do + expect(output_file).to receive(:write).with("{}") + subject.save_synced_folders(machine, folders, options) + end + + it "should call credential scrubber before writing file" do + expect(Vagrant::Util::CredentialScrubber).to receive(:desensitize).and_call_original + subject.save_synced_folders(machine, folders, options) + end + + context "when folder data is defined" do + let(:folders) { + {"root" => { + hostpath: "foo", type: "nfs", nfs__foo: "bar"}} + } + + it "should write folder information to file" do + expect(output_file).to receive(:write).with(JSON.dump(folders)) + subject.save_synced_folders(machine, folders, options) + end + + context "when folder data configuration includes sensitive data" do + let(:password) { "VAGRANT_TEST_PASSWORD" } + + before do + folders["root"][:folder_password] = password + Vagrant::Util::CredentialScrubber.sensitive(password) + end + + after { Vagrant::Util::CredentialScrubber.unsensitive(password) } + + it "should not include password when writing file" do + expect(output_file).to receive(:write) do |content| + expect(content).not_to include(password) + end + subject.save_synced_folders(machine, folders, options) + end + + it "should mask password content when writing file" do + expect(output_file).to receive(:write) do |content| + expect(content).to include(Vagrant::Util::CredentialScrubber::REPLACEMENT_TEXT) + end + subject.save_synced_folders(machine, folders, options) + end + end + end + end + describe "#synced_folders_diff" do it "sees two equal " do one = {