[keyserver] Make sanitizeInput work even if validation fails
ClosedPublic
Actions

Authored by ashoat on Tue, Jun 11, 6:45 AM.

Details

Reviewers

kamil
tomek

Commits

rCOMMff04951e9757: [keyserver] Make sanitizeInput work even if validation fails

Summary

We actually only use sanitizeInput when validation fails, so it's important that it works in this case.

See context here.

Test Plan

I added a test case to validation-utils.test.js that was failing before the changes in this diff

Diff Detail

Repository

rCOMM Comm

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

ashoat created this revision.Tue, Jun 11, 6:45 AM

ashoat mentioned this in D12387: [keyserver] Improve logging in checkInputValidator.Tue, Jun 11, 6:45 AM

Harbormaster completed remote builds in B29598: Diff 41206.Tue, Jun 11, 7:02 AM

ashoat requested review of this revision.Tue, Jun 11, 7:02 AM

I think this solution has an issue: some sensitive data could be placed in a prop that fails the validation and we probably won't be able to sanitize it properly. I don't think this problem can be solved in general, but maybe we should traverse the whole tree after the conversion and redact by hand all the fields that should usually be sanitized e.g. password.

This revision is now accepted and ready to land.Tue, Jun 11, 8:42 AM

Add some test cases

In D12391#351899, @tomek wrote:

I think this solution has an issue: some sensitive data could be placed in a prop that fails the validation and we probably won't be able to sanitize it properly.

Hmm... perhaps I'm not understanding you correctly. I added a couple test cases with nested validators, and these did reveal an issue: I wasn't propagating options during recursion. But a second traversal (as you suggested) didn't appear to be necessary.

Perhaps you are suggesting that we should redact properties based on their keys? That's probably not a bad idea, but I'd rather keep it out of the scope here for now.

The way it's written now, if an unrelated part of the input fails validation, passwords in an expected position should still be redacted. It's only if the password itself is in an unexpected position that we would fail to redact it.

This revision was landed with ongoing or failed builds.Tue, Jun 11, 9:25 AM

Closed by commit rCOMMff04951e9757: [keyserver] Make sanitizeInput work even if validation fails (authored by ashoat). · Explain Why

This revision was automatically updated to reflect the committed changes.

ashoat added a commit: rCOMMff04951e9757: [keyserver] Make sanitizeInput work even if validation fails.

Harbormaster completed remote builds in B29599: Diff 41207.Tue, Jun 11, 9:32 AM

Hmm... perhaps I'm not understanding you correctly. I added a couple test cases with nested validators, and these did reveal an issue: I wasn't propagating options during recursion. But a second traversal (as you suggested) didn't appear to be necessary.

Perhaps you are suggesting that we should redact properties based on their keys? That's probably not a bad idea, but I'd rather keep it out of the scope here for now.

Yeah, that's my suggestion. And agree, we don't have to include this in the scope right now.

The way it's written now, if an unrelated part of the input fails validation, passwords in an expected position should still be redacted. It's only if the password itself is in an unexpected position that we would fail to redact it.

I was thinking also about cases like this:

const validator = tShape<{
  +nested1: { +password: string },
}>({
  nested1: tShape<{ +password: string }>({
    password: tPassword,
  }),
});
const object = { nested2: { password: 'password' } };

Where we won't redact the password. So basically, any misplacement between the sensitive prop and the root would block us from sanitizing it.