Allow access to pm.vault only when vaultSecrets is set

postmanlabs · Jul 31, 2024 · 789d0d7 · 789d0d7
1 parent 712fe80
commit 789d0d7
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 6 deletions.
diff --git a/CHANGELOG.yaml b/CHANGELOG.yaml
@@ -1,3 +1,7 @@
+unreleased:
+  chores:
+    - Allowed access to `pm.vault` only when `vaultSecrets` is set
+
 5.1.0:
   date: 2024-07-29
   new features:

diff --git a/lib/sandbox/execute.js b/lib/sandbox/execute.js
@@ -250,6 +250,11 @@ module.exports = function (bridge, glob) {
             disabledAPIs.push('require');
         }
 
+        // @todo: throw helpful error message if script access to vault is disabled
+        if (!context.vaultSecrets) {
+            disabledAPIs.push('vault');
+        }
+
         // send control to the function that executes the context and prepares the scope
         executeContext(scope, code, execution,
             // if a console is sent, we use it. otherwise this also prevents erroneous referencing to any console

diff --git a/test/unit/pm-variables-tracking.test.js b/test/unit/pm-variables-tracking.test.js
@@ -30,7 +30,11 @@ describe('pm api variables', function () {
                 assert.equal(pm.vault.mutations.count(), 0);
                 pm.vault.set('foo', 'foo');
                 assert.equal(pm.vault.mutations.count(), 1);
-            `, done);
+            `, {
+                context: {
+                    vaultSecrets: {} // enable pm.vault
+                }
+            }, done);
         });
     });
 
@@ -46,7 +50,11 @@ describe('pm api variables', function () {
                 pm.globals.set('foo', 'global');
                 pm.collectionVariables.set('foo', 'collectionVariables');
                 pm.vault.set('foo', 'vaultVariable');
-            `, function (err, result) {
+            `, {
+                context: {
+                    vaultSecrets: {} // enable pm.vault
+                }
+            }, function (err, result) {
                 if (err) {
                     return done(err);
                 }

diff --git a/test/unit/sandbox-libraries/pm.test.js b/test/unit/sandbox-libraries/pm.test.js
@@ -1,5 +1,4 @@
-const { VariableScope } = require('postman-collection'),
-    CookieStore = require('@postman/tough-cookie').Store;
+const CookieStore = require('@postman/tough-cookie').Store;
 
 describe('sandbox library - pm api', function () {
     this.timeout(1000 * 60);
@@ -31,7 +30,7 @@ describe('sandbox library - pm api', function () {
                 value: 2.9,
                 type: 'number'
             }],
-            vaultSecrets: new VariableScope({
+            vaultSecrets: {
                 prefix: 'vault:',
                 values: [{
                     key: 'vault:var1',
@@ -41,7 +40,7 @@ describe('sandbox library - pm api', function () {
                     key: 'vault:var2',
                     value: 'two-vault',
                     type: 'string'
-                }] }),
+                }] },
             data: {
                 var1: 'one-data'
             }
@@ -278,6 +277,13 @@ describe('sandbox library - pm api', function () {
     });
 
     describe('vault', function () {
+        it('should not be a function if vaultSecrets is not present', function (done) {
+            context.execute(`
+                var assert = require('assert');
+                assert.strictEqual((typeof pm.vault), 'undefined');
+            `, done);
+        });
+
         it('should be defined as VariableScope', function (done) {
             context.execute(`
                 var assert = require('assert'),