Merge pull request #50 from UFGInsurance/fix/check-pom-for-sensitive

Check POM for sensitive property values
UFGInsurance · Dec 10, 2018 · ff7263d · ff7263d
2 parents 34a45fc + 3187f37
commit ff7263d
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 22 deletions.
diff --git a/mulint.js b/mulint.js
@@ -14,7 +14,7 @@ const validateLog4j = require("./validateLog4j");
 const assert = require("./assert");
 
 program
-  .version("1.8.0")
+  .version("1.9.0")
   .description("Mule project linter")
   .arguments("<apiBasePath>")
   .on("--help", () => {

diff --git a/sensitive.js b/sensitive.js
@@ -0,0 +1,22 @@
+const { propertyPlaceholderRegEx } = require("./constants");
+
+const sensitiveKeyRegEx = /password|pwd/i;
+
+// Primarily for Microsoft SQL Server connection strings
+// Negative lookahead - "password=" not followed by "replace" or "${"
+// (Case-insensitive, ignoring whitespace)
+const sensitiveValueRegEx = /password\s*=(?!\s*(?:replace|\${))/i;
+
+const securedPropertyRegEx = /^!\[.+\]$/;
+
+const isSensitive = (key, value) =>
+  (sensitiveKeyRegEx.test(key) &&
+    value &&
+    !value.toUpperCase().includes("REPLACE") &&
+    !securedPropertyRegEx.test(value) &&
+    !propertyPlaceholderRegEx.test(value)) ||
+  sensitiveValueRegEx.test(value);
+
+module.exports = {
+  isSensitive
+};
diff --git a/validatePom.js b/validatePom.js
@@ -3,6 +3,7 @@ const {
   cloudCIOnlyMavenProperties
 } = require("./constants");
 const assert = require("./assert");
+const sensitive = require("./sensitive");
 
 const domainProjectName = "api-gateway";
 const expectedDomainProjectVersionRegEx = /^1\.0\.[3-9]$/;
@@ -108,6 +109,12 @@ const validatePom = (folderInfo, pomInfo) => {
       distributionManagement[0].repository[0].url[0] === mavenRepository,
     "POM: Maven repository (Artifactory) not configured"
   );
+
+  pomInfo.properties.forEach((value, key) => {
+    if (sensitive.isSensitive(key, value)) {
+      assert.fail(`POM: ${key} may contain sensitive information`);
+    }
+  });
 };
 
 module.exports = validatePom;
diff --git a/validateProperties.js b/validateProperties.js
@@ -1,21 +1,9 @@
-const {
-  propertyPlaceholderRegEx,
-  cloudCIOnlyMavenProperties,
-  encoding
-} = require("./constants");
+const { cloudCIOnlyMavenProperties, encoding } = require("./constants");
 const fs = require("fs");
 const path = require("path");
 const os = require("os");
 const assert = require("./assert");
-
-const sensitiveKeyRegEx = /password|pwd/i;
-
-// Primarily for Microsoft SQL Server connection strings
-// Negative lookahead - "password=" not followed by "replace" or "${"
-// (Case-insensitive, ignoring whitespace)
-const sensitiveValueRegEx = /password\s*=(?!\s*(?:replace|\${))/i;
-
-const securedPropertyRegEx = /^!\[.+\]$/;
+const sensitive = require("./sensitive");
 
 // Loads a Java .properties file into a Map.
 const loadProperties = fileName =>
@@ -102,13 +90,7 @@ const validateProperties = (folderInfo, pomInfo) => {
       `${serverContext}: ${key} from ${localContext} not found`
     );
 
-    if (
-      (sensitiveKeyRegEx.test(key) &&
-        !value.toUpperCase().includes("REPLACE") &&
-        !securedPropertyRegEx.test(value) &&
-        !propertyPlaceholderRegEx.test(value)) ||
-      sensitiveValueRegEx.test(value)
-    ) {
+    if (sensitive.isSensitive(key, value)) {
       assert.fail(`${localContext}: ${key} may contain sensitive information`);
     }
   });