Skip to content

Commit

Permalink
Merge pull request #99 from basecamp/undefined-method-error
Browse files Browse the repository at this point in the history
Prevent errors from leaking encrypted information
  • Loading branch information
jorgemanrubia authored Sep 24, 2023
2 parents bf94376 + 0498b35 commit a150996
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 1 deletion.
2 changes: 1 addition & 1 deletion docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ volumes:

services:
mysql:
image: percona:5.7.22
image: mariadb:latest
environment:
MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
volumes:
Expand Down
14 changes: 14 additions & 0 deletions lib/console1984/command_executor.rb
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ def execute(commands, &block)
# We detected that a forbidden command was executed. We exit IRB right away.
flag_suspicious(commands, error: error)
Console1984.supervisor.exit_irb
rescue => error
raise encrypting_error(error)
ensure
run_as_system { session_logger.after_executing commands }
end
Expand Down Expand Up @@ -97,4 +99,16 @@ def run_command(run_by_user, &block)
ensure
@executing_user_command = original_value
end

def encrypting_error(error)
def error.inspect
Console1984.command_executor.execute_in_protected_mode { super }
end

def error.to_s
Console1984.command_executor.execute_in_protected_mode { super }
end

error
end
end
16 changes: 16 additions & 0 deletions test/encryption_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,22 @@ class EncryptionTest < ActiveSupport::TestCase
assert_equal "Other name", @person.reload.name
end

test "does not reveal attributes when raising errors" do
error = nil

begin
@console.execute <<~RUBY
Person.find(#{@person.id}).method_that_does_not_exist
RUBY
rescue => e
error = e
end

assert_not_nil error
assert_not_includes error.inspect.remove(@person.email), @person.name
assert_not_includes error.to_s.remove(@person.email), @person.name
end

private
def execute_decrypt_and_enter_reason
type_when_prompted "I need to fix encoding issue with Message 123456" do
Expand Down

0 comments on commit a150996

Please sign in to comment.