fix: disable hiding of Sensitive params

if octocatalog-diff has access to them, then the user running it also has. showing them is no security issue. But not showing them is a problem when refactoring code to use Sensitive, because you don't see if you accidentally introduced other changes - for example forgetting an `unwrap` somewhere.
babiel · Mar 13, 2024 · 37a5a9b · 37a5a9b
1 parent 665f915
commit 37a5a9b
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 31 deletions.
diff --git a/lib/octocatalog-diff/catalog-diff/differ.rb b/lib/octocatalog-diff/catalog-diff/differ.rb
@@ -468,13 +468,6 @@ def ignored?(diff)
       def cleanse_parameters_hash(parameters_hash, sensitive_parameters)
         result = parameters_hash.dup
 
-        # hides sensitive params. We still need to know if there's a going to
-        # be a diff, so we hash the value.
-        sensitive_parameters.each do |p|
-          md5 = Digest::MD5.hexdigest Marshal.dump(result[p])
-          result[p] = 'Sensitive [md5sum ' + md5 + ']'
-        end
-
         # 'before' and 'require' handle internal Puppet ordering but do not affect what
         # happens on the target machine. Don't consider these for the purpose of catalog diff.
         result.delete('before')

diff --git a/spec/octocatalog-diff/tests/catalog-diff/differ_spec.rb b/spec/octocatalog-diff/tests/catalog-diff/differ_spec.rb
@@ -382,30 +382,6 @@
           result = testobj.catalog1
           expect(result.first['title']).to eq('/etc/foo')
         end
-
-        it 'should hide sensitive parameters' do
-          json_hash = {
-            'document_type' => 'Catalog',
-            'data' => {
-              'name' => 'rspec-node.github.net',
-              'tags' => [],
-              'resources' => [
-                {
-                  'type' => 'File',
-                  'title' => 'verysecretfile',
-                  'parameters' => {
-                    'content' => 'secret1'
-                  },
-                  'sensitive_parameters' => ['content']
-                }
-              ]
-            }
-          }
-          catalog = OctocatalogDiff::Catalog.create(json: JSON.generate(json_hash))
-          testobj = OctocatalogDiff::CatalogDiff::Differ.new(@options, catalog, @empty_puppet_catalog)
-          result = testobj.catalog1
-          expect(result.first['parameters']['content']).to eq('Sensitive [md5sum 05183a01bf8570c7691fc4e362998f3d]')
-        end
       end
 
       describe '#diff' do