From 6e6790937f2091c87c4f610f00ed5d67660dd23b Mon Sep 17 00:00:00 2001 From: Brad Rydzewski Date: Mon, 7 Sep 2015 18:10:55 -0700 Subject: [PATCH] validate secret yaml before encrypting --- doc/build/secrets.md | 2 +- pkg/server/repos.go | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/build/secrets.md b/doc/build/secrets.md index 560e5e11e..64145a54b 100644 --- a/doc/build/secrets.md +++ b/doc/build/secrets.md @@ -4,7 +4,7 @@ Drone allows you to store secret variables in an encrypted `.drone.sec` file in An example `.drone.sec` yaml file, prior to being encryped: -``` +```yaml checksum: f63561783e550ccd21663d13eaf6a4d252d84147 environment: - HEROKU_TOKEN=pa$$word diff --git a/pkg/server/repos.go b/pkg/server/repos.go index 3b643f4ff..2c27c0125 100644 --- a/pkg/server/repos.go +++ b/pkg/server/repos.go @@ -8,6 +8,7 @@ import ( "github.com/drone/drone/Godeps/_workspace/src/github.com/gin-gonic/gin" "github.com/drone/drone/Godeps/_workspace/src/github.com/gin-gonic/gin/binding" + "github.com/drone/drone/Godeps/_workspace/src/gopkg.in/yaml.v2" "github.com/drone/drone/pkg/hash" "github.com/drone/drone/pkg/remote" @@ -261,7 +262,21 @@ func Encrypt(c *gin.Context) { c.Fail(500, err) return } + + // make sure the Yaml is valid format to prevent + // a malformed value from being used in the build + err = yaml.Unmarshal(in, &yaml.MapSlice{}) + if err != nil { + c.Fail(500, err) + return + } + + // we found some strange characters included in + // the yaml file when entered into a browser textarea. + // these need to be removed in = bytes.Replace(in, []byte{'\xA0'}, []byte{' '}, -1) + + // encrypts using go-jose out, err := secure.Encrypt(string(in), repo.Keys.Private) if err != nil { c.Fail(500, err)