fix: unset NOTATION_USERNAME and NOTATION_PASSWORD to avoid leaking c…

…redentials to plugin (#746) Fix:unset credentials env after read the value (Resolves #709) Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
notaryproject · Jul 20, 2023 · 0cc39b3 · 0cc39b3
1 parent 50609fd
commit 0cc39b3
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 0 deletions.
diff --git a/cmd/notation/main.go b/cmd/notation/main.go
@@ -26,6 +26,12 @@ func main() {
 		Use:          "notation",
 		Short:        "Notation - a tool to sign and verify artifacts",
 		SilenceUsage: true,
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			// unset registry credentials after read the value from environment
+			// to avoid leaking credentials
+			os.Unsetenv(defaultUsernameEnv)
+			os.Unsetenv(defaultPasswordEnv)
+		},
 	}
 	cmd.AddCommand(
 		signCommand(nil),

diff --git a/cmd/notation/main_test.go b/cmd/notation/main_test.go
@@ -0,0 +1,39 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"os"
+	"testing"
+)
+
+func Test_UnsetEnvCredential(t *testing.T) {
+	const notationUsername = "NOTATION_USERNAME"
+	const notationPassword = "NOTATION_PASSWORD"
+	// Set environment variables for testing
+	os.Setenv(notationUsername, "testuser")
+	os.Setenv(notationPassword, "testpassword")
+	os.Args = []string{"notation", "version"}
+
+	main()
+
+	// check credentials environment variables are unset
+	if os.Getenv(notationUsername) != "" {
+		t.Errorf("expected %s to be unset", notationUsername)
+	}
+
+	if os.Getenv(notationPassword) != "" {
+		t.Errorf("expected %s to be unset", notationPassword)
+	}
+}
diff --git a/test/e2e/plugin/main.go b/test/e2e/plugin/main.go
@@ -15,16 +15,31 @@ package main
 
 import (
 	"encoding/json"
+	"errors"
 	"os"
 
+	"github.com/notaryproject/notation-go/plugin/proto"
 	"github.com/spf13/cobra"
 )
 
+const NOTATION_USERNAME = "NOTATION_USERNAME"
+const NOTATION_PASSWORD = "NOTATION_PASSWORD"
+
 func main() {
 	cmd := &cobra.Command{
 		Use:           "plugin for Notation E2E test",
 		SilenceUsage:  true,
 		SilenceErrors: true,
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			// check registry credentials are eliminated
+			if os.Getenv(NOTATION_USERNAME) != "" || os.Getenv(NOTATION_PASSWORD) != "" {
+				return &proto.RequestError{
+					Code: proto.ErrorCodeValidation,
+					Err:  errors.New("registry credentials are not eliminated"),
+				}
+			}
+			return nil
+		},
 	}
 
 	cmd.AddCommand(