fix: issue with accidental secret exposure via wrong syntax (#110)

* throw error if no source or target from secret slice

* fmt

* unnecessary leading newline (whitespace)

yaml/secret.go

@@ -6,6 +6,7 @@ package yaml
 
 import (
 	"errors"
+	"fmt"
 	"strings"
 
 	"github.com/go-vela/types/constants"
@@ -206,6 +207,13 @@ func (s *StepSecretSlice) UnmarshalYAML(unmarshal func(interface{}) error) error
 	// attempt to unmarshal as a step secret slice type
 	err = unmarshal(secrets)
 	if err == nil {
+		// check for secret source and target
+		for _, secret := range *secrets {
+			if len(secret.Source) == 0 || len(secret.Target) == 0 {
+				return fmt.Errorf("no secret source or target found")
+			}
+		}
+
 		// overwrite existing StepSecretSlice
 		*s = StepSecretSlice(*secrets)
 		return nil

yaml/secret_test.go

@@ -288,6 +288,16 @@ func TestYaml_StepSecretSlice_UnmarshalYAML(t *testing.T) {
 				},
 			},
 		},
+		{
+			failure: true,
+			file:    "testdata/step_secret_slice_invalid_no_source.yml",
+			want:    nil,
+		},
+		{
+			failure: true,
+			file:    "testdata/step_secret_slice_invalid_no_target.yml",
+			want:    nil,
+		},
 		{
 			failure: true,
 			file:    "testdata/invalid.yml",

yaml/testdata/step_secret_slice_invalid_no_source.yml

@@ -0,0 +1,2 @@
+---
+- target: foo

yaml/testdata/step_secret_slice_invalid_no_target.yml

@@ -0,0 +1,2 @@
+---
+- source: foo