From 574ca7271db6cf66c28bba191d4577a30ed84166 Mon Sep 17 00:00:00 2001
From: tvangtarget <67977137+tvangtarget@users.noreply.github.com>
Date: Tue, 29 Sep 2020 08:35:43 -0500
Subject: [PATCH] fix: issue with accidental secret exposure via wrong syntax
 (#110)

* throw error if no source or target from secret slice

* fmt

* unnecessary leading newline (whitespace)
---
 yaml/secret.go                                        |  8 ++++++++
 yaml/secret_test.go                                   | 10 ++++++++++
 yaml/testdata/step_secret_slice_invalid_no_source.yml |  2 ++
 yaml/testdata/step_secret_slice_invalid_no_target.yml |  2 ++
 4 files changed, 22 insertions(+)
 create mode 100644 yaml/testdata/step_secret_slice_invalid_no_source.yml
 create mode 100644 yaml/testdata/step_secret_slice_invalid_no_target.yml

diff --git a/yaml/secret.go b/yaml/secret.go
index 58d99b23..443fa82d 100644
--- a/yaml/secret.go
+++ b/yaml/secret.go
@@ -6,6 +6,7 @@ package yaml
 
 import (
 	"errors"
+	"fmt"
 	"strings"
 
 	"github.com/go-vela/types/constants"
@@ -206,6 +207,13 @@ func (s *StepSecretSlice) UnmarshalYAML(unmarshal func(interface{}) error) error
 	// attempt to unmarshal as a step secret slice type
 	err = unmarshal(secrets)
 	if err == nil {
+		// check for secret source and target
+		for _, secret := range *secrets {
+			if len(secret.Source) == 0 || len(secret.Target) == 0 {
+				return fmt.Errorf("no secret source or target found")
+			}
+		}
+
 		// overwrite existing StepSecretSlice
 		*s = StepSecretSlice(*secrets)
 		return nil
diff --git a/yaml/secret_test.go b/yaml/secret_test.go
index e58561e6..aca19d96 100644
--- a/yaml/secret_test.go
+++ b/yaml/secret_test.go
@@ -288,6 +288,16 @@ func TestYaml_StepSecretSlice_UnmarshalYAML(t *testing.T) {
 				},
 			},
 		},
+		{
+			failure: true,
+			file:    "testdata/step_secret_slice_invalid_no_source.yml",
+			want:    nil,
+		},
+		{
+			failure: true,
+			file:    "testdata/step_secret_slice_invalid_no_target.yml",
+			want:    nil,
+		},
 		{
 			failure: true,
 			file:    "testdata/invalid.yml",
diff --git a/yaml/testdata/step_secret_slice_invalid_no_source.yml b/yaml/testdata/step_secret_slice_invalid_no_source.yml
new file mode 100644
index 00000000..1f7e6fc3
--- /dev/null
+++ b/yaml/testdata/step_secret_slice_invalid_no_source.yml
@@ -0,0 +1,2 @@
+---
+- target: foo
\ No newline at end of file
diff --git a/yaml/testdata/step_secret_slice_invalid_no_target.yml b/yaml/testdata/step_secret_slice_invalid_no_target.yml
new file mode 100644
index 00000000..3e0e29b1
--- /dev/null
+++ b/yaml/testdata/step_secret_slice_invalid_no_target.yml
@@ -0,0 +1,2 @@
+---
+- source: foo
\ No newline at end of file