#7744: Fix integration config sanitization

contrib/integrations/automation-anywhere.yaml

@@ -2,18 +2,17 @@ apiVersion: v1
 kind: service
 metadata:
   id: automation-anywhere/control-room
-  version: 1.0.0
+  version: 1.0.2
   name: Automation Anywhere Control Room
-  description: Automation Anywhere Enterprise Control Room API
-  url: https://docs.automationanywhere.com/bundle/enterprise-v11.3/page/enterprise/topics/control-room/control-room-api/control-room-apis.html
+  description: Automation Anywhere Room API
 inputSchema:
   $schema: "https://json-schema.org/draft/2019-09/schema#"
   type: object
   properties:
     controlRoomUrl:
       type: string
       format: uri
-      description: The Automation Anywhere Control Room API base URL, including https://
+      description: The Automation Anywhere Control Room API base URL, starting with https:// and ending with a domain or IP address (excluding trailing slashes)
       pattern: '^https:\/\/(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])(:\d{1,5})?$'
     username:
       type: string
@@ -28,12 +27,11 @@ inputSchema:
         password for users that are assigned to the API key generation role.
     folderId:
       type: string
-      description: (Deprecated) The folder ID containing the bots to run
-      format: '\d+'
+      description: The folder ID containing the bots to run
+      pattern: '\d+'
   required:
+    - controlRoomUrl
     - username
-uiSchema:
-  ui:order: ["controlRoomUrl", "username", "password", "apiKey", "folderId"]
 authentication:
   baseURL: "{{{ controlRoomUrl }}}"
   token:

src/integrations/UserDefinedIntegration.test.ts

@@ -32,8 +32,8 @@ describe("UserDefinedIntegration", () => {
     const integration = fromJS(
       automationAnywhere as unknown as IntegrationDefinition,
     );
-    expect(integration.version).toBe("1.0.0");
-    expect(integration.uiSchema["ui:order"]).toBeArrayOfSize(5);
+    expect(integration.version).toBe("1.0.2");
+    expect(integration.schema.properties).toBeObject();
   });
 
   test("get origins for oauth2 integration", () => {

src/integrations/sanitizeIntegrationConfig.test.ts

@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2024 PixieBrix, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import { sanitizeIntegrationConfig } from "@/integrations/sanitizeIntegrationConfig";
+import automationAnywhere from "@contrib/integrations/automation-anywhere.yaml";
+import { fromJS } from "@/integrations/UserDefinedIntegration";
+import type { IntegrationDefinition } from "@/integrations/integrationTypes";
+
+const aaIntegration = fromJS(
+  automationAnywhere as unknown as IntegrationDefinition,
+);
+
+describe("sanitizeIntegrationConfig", () => {
+  it("excludes secrets", () => {
+    const config = {
+      apiKey: "123",
+      password: "pass",
+    };
+    const sanitizedConfig = sanitizeIntegrationConfig(aaIntegration, config);
+    expect(sanitizedConfig).toEqual({});
+  });
+
+  it("excludes unset fields", () => {
+    const config = {};
+    const sanitizedConfig = sanitizeIntegrationConfig(aaIntegration, config);
+    expect(sanitizedConfig).toEqual({});
+  });
+
+  it("includes null fields", () => {
+    const config: { username: null } = { username: null };
+    const sanitizedConfig = sanitizeIntegrationConfig(aaIntegration, config);
+    expect(sanitizedConfig).toEqual({ username: null });
+  });
+
+  it("includes set non-secret fields", () => {
+    const config = {
+      controlRoomUrl: "https://controlroom.example.com",
+      username: "user",
+      folderId: "12345",
+    };
+    const sanitizedConfig = sanitizeIntegrationConfig(aaIntegration, config);
+    expect(sanitizedConfig).toEqual({
+      controlRoomUrl: config.controlRoomUrl,
+      username: config.username,
+      folderId: config.folderId,
+    });
+  });
+});

src/integrations/sanitizeIntegrationConfig.ts

@@ -34,13 +34,19 @@ export function sanitizeIntegrationConfig(
 ): SanitizedConfig {
   const result: SanitizedConfig = {} as SanitizedConfig;
   for (const [key, type] of Object.entries(inputProperties(service.schema))) {
+    // eslint-disable-next-line security/detect-object-injection
+    const value = config[key];
+
     if (
       typeof type !== "boolean" &&
-      (!type.$ref || !REF_SECRETS.includes(type.$ref))
+      (!type.$ref || !REF_SECRETS.includes(type.$ref)) &&
+      // Explicitly check for undefined to be safe, even though we should never see it in practice
+      // because it's not valid JSON. We could just check "key in config" instead.
+      value !== undefined
     ) {
       // Safe because we're getting from Object.entries
       // eslint-disable-next-line security/detect-object-injection
-      result[key] = config[key] ?? null;
+      result[key] = value;
     }
   }
 

src/tsconfig.strictNullChecks.json

@@ -347,6 +347,7 @@
     "./integrations/constants.ts",
     "./integrations/integrationTypes.ts",
     "./integrations/sanitizeIntegrationConfig.ts",
+    "./integrations/sanitizeIntegrationConfig.test.ts",
     "./integrations/store/integrationsMigrations.ts",
     "./integrations/store/integrationsSelectors.ts",
     "./integrations/store/integrationsSlice.ts",