Disallow empty keys when accessing secrets

max-mironov · Oct 7, 2020 · d433484 · d433484
1 parent e2eeb5a
commit d433484
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/secrets/errors.go b/secrets/errors.go
@@ -9,6 +9,9 @@ import (
 // encoding in the secrets.json file.
 var ErrInvalidEncoding = errors.New("secrets: invalid encoding, expected identity, base64 or empty")
 
+// ErrEmptySecretKey is returned when the path for a secret is empty.
+var ErrEmptySecretKey = errors.New("secrets: secret path cannot be empty")
+
 // TooManyFieldsError is a type of errors could be returned by
 // Document.Validate.
 //

diff --git a/secrets/secrets.go b/secrets/secrets.go
@@ -38,6 +38,9 @@ type Secrets struct {
 
 // GetSimpleSecret fetches a simple secret or error if the key is not present.
 func (s *Secrets) GetSimpleSecret(path string) (SimpleSecret, error) {
+	if path == "" {
+		return SimpleSecret{}, ErrEmptySecretKey
+	}
 	secret, ok := s.simpleSecrets[path]
 	if !ok {
 		return secret, SecretNotFoundError(path)
@@ -48,6 +51,9 @@ func (s *Secrets) GetSimpleSecret(path string) (SimpleSecret, error) {
 
 // GetVersionedSecret fetches a versioned secret or error if the key is not present.
 func (s *Secrets) GetVersionedSecret(path string) (VersionedSecret, error) {
+	if path == "" {
+		return VersionedSecret{}, ErrEmptySecretKey
+	}
 	secret, ok := s.versionedSecrets[path]
 	if !ok {
 		return secret, SecretNotFoundError(path)
@@ -59,6 +65,9 @@ func (s *Secrets) GetVersionedSecret(path string) (VersionedSecret, error) {
 // GetCredentialSecret fetches a credential secret or error if the key is not
 // present.
 func (s *Secrets) GetCredentialSecret(path string) (CredentialSecret, error) {
+	if path == "" {
+		return CredentialSecret{}, ErrEmptySecretKey
+	}
 	secret, ok := s.credentialSecrets[path]
 	if !ok {
 		return secret, SecretNotFoundError(path)