From 73a5c8c3bf0df57d2756372717f89ee63aaa1fcd Mon Sep 17 00:00:00 2001 From: Sebastian van Hesteren Date: Wed, 17 Jul 2024 12:00:40 +0200 Subject: [PATCH] Raise again on double keynames --- README.md | 16 ++++++++++++++++ lib/eyaml/util.rb | 2 ++ spec/eyaml/util_spec.rb | 4 ++-- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 534461f..8855bf0 100644 --- a/README.md +++ b/README.md @@ -169,6 +169,22 @@ If you're using the new Apple M1, you need to ensure that you're using a `ffi` t gem "ffi", github: "cheddar-me/ffi", branch: "apple-m1", submodules: true ``` +### Underscored vs de-underscored + +Keys that start with an underscore are treated as-is and are assumed unencrypted in the secrets/credentials files. +To make our lives a little easier in calling them in the application they are callable without the underscore. So a `_secret` can be called with + +```ruby +Rails.application.credentials.secret +``` +and +```ruby +Rails.application.credentials._secret +``` + +To prevent conflicts with having the same name underscored and not, we don't allow that and the gem will raise an exception. +This makes sense since we believe it could be a security hazard to have an encrypted key also unencrypted. The best solution is to give either a different name to make the intention clear. + ## Development To get started, make sure you have a working version of Ruby locally. Then clone the repo, and run `bin/setup` (this will install `libsodium` if you're on a Mac and setup bundler). Running `bundle exec rake` or `bundle exec rake spec` will run the test suite. diff --git a/lib/eyaml/util.rb b/lib/eyaml/util.rb index 7e08aec..3bb0d32 100644 --- a/lib/eyaml/util.rb +++ b/lib/eyaml/util.rb @@ -17,6 +17,8 @@ def with_deep_deundescored_keys(hash) if key.start_with?("_") deunderscored_key = key[1..] + # We don't want to have an underscored and de-underscored key with the same name, so raise. This could be a security issue + raise KeyError, "De-underscored key '#{key[1..]}' already exists." if total.key?(deunderscored_key) total[deunderscored_key] = value unless total.key?(deunderscored_key) end diff --git a/spec/eyaml/util_spec.rb b/spec/eyaml/util_spec.rb index 7e28148..3ba7c5f 100644 --- a/spec/eyaml/util_spec.rb +++ b/spec/eyaml/util_spec.rb @@ -15,10 +15,10 @@ expect(EYAML::Util.with_deep_deundescored_keys(yaml_without_prefix)).to eq({"a"=>"1", "b"=>"2", "c"=>{"d"=>"3", "_d"=>"3"}, "_c"=>{"d"=>"3", "_d"=>"3"}}) end - it "does not overwrite the not underscored key when we have an underscored key" do + it "will raise when a de-underscored key already exists" do yaml_without_prefix = YAML.load_file(fixtures_root.join("pretty.yml")).merge("_b" => "X") - expect(EYAML::Util.with_deep_deundescored_keys(yaml_without_prefix)).to eq({"a"=>"1", "b"=>"2", "_b"=>"X", "c"=>{"d"=>"3", "_d"=>"3"}, "_c"=>{"d"=>"3", "_d"=>"3"}}) + expect { EYAML::Util.with_deep_deundescored_keys(yaml_without_prefix) }.to raise_error(KeyError) end end end