From 789d0d7b9b6d1a8a90f4f478320cf43156dd6ec6 Mon Sep 17 00:00:00 2001 From: Udit Vasu Date: Wed, 31 Jul 2024 12:44:23 +0530 Subject: [PATCH] Allow access to `pm.vault` only when `vaultSecrets` is set --- CHANGELOG.yaml | 4 ++++ lib/sandbox/execute.js | 5 +++++ test/unit/pm-variables-tracking.test.js | 12 ++++++++++-- test/unit/sandbox-libraries/pm.test.js | 14 ++++++++++---- 4 files changed, 29 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.yaml b/CHANGELOG.yaml index 53b0af6b..1fb9e41f 100644 --- a/CHANGELOG.yaml +++ b/CHANGELOG.yaml @@ -1,3 +1,7 @@ +unreleased: + chores: + - Allowed access to `pm.vault` only when `vaultSecrets` is set + 5.1.0: date: 2024-07-29 new features: diff --git a/lib/sandbox/execute.js b/lib/sandbox/execute.js index d1debb63..5f3d96c5 100644 --- a/lib/sandbox/execute.js +++ b/lib/sandbox/execute.js @@ -250,6 +250,11 @@ module.exports = function (bridge, glob) { disabledAPIs.push('require'); } + // @todo: throw helpful error message if script access to vault is disabled + if (!context.vaultSecrets) { + disabledAPIs.push('vault'); + } + // send control to the function that executes the context and prepares the scope executeContext(scope, code, execution, // if a console is sent, we use it. otherwise this also prevents erroneous referencing to any console diff --git a/test/unit/pm-variables-tracking.test.js b/test/unit/pm-variables-tracking.test.js index e81736d0..392cf818 100644 --- a/test/unit/pm-variables-tracking.test.js +++ b/test/unit/pm-variables-tracking.test.js @@ -30,7 +30,11 @@ describe('pm api variables', function () { assert.equal(pm.vault.mutations.count(), 0); pm.vault.set('foo', 'foo'); assert.equal(pm.vault.mutations.count(), 1); - `, done); + `, { + context: { + vaultSecrets: {} // enable pm.vault + } + }, done); }); }); @@ -46,7 +50,11 @@ describe('pm api variables', function () { pm.globals.set('foo', 'global'); pm.collectionVariables.set('foo', 'collectionVariables'); pm.vault.set('foo', 'vaultVariable'); - `, function (err, result) { + `, { + context: { + vaultSecrets: {} // enable pm.vault + } + }, function (err, result) { if (err) { return done(err); } diff --git a/test/unit/sandbox-libraries/pm.test.js b/test/unit/sandbox-libraries/pm.test.js index 317608b6..d1c7f0b8 100644 --- a/test/unit/sandbox-libraries/pm.test.js +++ b/test/unit/sandbox-libraries/pm.test.js @@ -1,5 +1,4 @@ -const { VariableScope } = require('postman-collection'), - CookieStore = require('@postman/tough-cookie').Store; +const CookieStore = require('@postman/tough-cookie').Store; describe('sandbox library - pm api', function () { this.timeout(1000 * 60); @@ -31,7 +30,7 @@ describe('sandbox library - pm api', function () { value: 2.9, type: 'number' }], - vaultSecrets: new VariableScope({ + vaultSecrets: { prefix: 'vault:', values: [{ key: 'vault:var1', @@ -41,7 +40,7 @@ describe('sandbox library - pm api', function () { key: 'vault:var2', value: 'two-vault', type: 'string' - }] }), + }] }, data: { var1: 'one-data' } @@ -278,6 +277,13 @@ describe('sandbox library - pm api', function () { }); describe('vault', function () { + it('should not be a function if vaultSecrets is not present', function (done) { + context.execute(` + var assert = require('assert'); + assert.strictEqual((typeof pm.vault), 'undefined'); + `, done); + }); + it('should be defined as VariableScope', function (done) { context.execute(` var assert = require('assert'),