fix: don’t accidentally leak credentials

hoodiehq · Aug 27, 2016 · d4f48aa · d4f48aa
1 parent 5ba3d09
commit d4f48aa
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/lib/config/assure-folders.js b/lib/config/assure-folders.js
@@ -2,6 +2,7 @@ module.exports = assureFolders
 
 var parallel = require('async').parallel
 var mkdirp = require('mkdirp')
+var url = require('url')
 
 function assureFolders (state, callback) {
   if (state.inMemory) {
@@ -11,7 +12,11 @@ function assureFolders (state, callback) {
   var tasks = [
     mkdirp.bind(null, state.config.paths.data)
   ]
-  if (state.db.options.prefix) {
+
+  // if the prefix has a protocol like 'http', we assume that this is an external
+  // prefix and we don't create the local folder to prevent accidental credential
+  // leakage
+  if (state.db.options.prefix && !url.parse(state.db.options.prefix).protocol) {
     tasks.push(mkdirp.bind(null, state.db.options.prefix))
   }
 

diff --git a/test/unit/assure-folders-test.js b/test/unit/assure-folders-test.js
@@ -55,5 +55,32 @@ test('assure config folders', function (group) {
     })
   })
 
+  group.test('with config.db.prefix that is an url', function (t) {
+    var mkdirpMock = simple.stub().callbackWith(null)
+    var assureFolders = proxyquire('../../lib/config/assure-folders', {
+      mkdirp: mkdirpMock
+    })
+
+    assureFolders({
+      config: {
+        paths: {
+          data: 'data path'
+        }
+      },
+      db: {
+        options: {
+          prefix: 'http://admin:admin@localhost:5984'
+        }
+      }
+    }, function (error) {
+      t.error(error)
+
+      t.is(mkdirpMock.callCount, 1, 'mkdirp called once')
+      t.is(mkdirpMock.lastCall.arg, 'data path', 'db prefix path created')
+
+      t.end()
+    })
+  })
+
   group.end()
 })