From c5c92590c133fe0b7f2b2dd8df9dd48c1323ae8c Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Mon, 18 Aug 2025 15:02:22 +0200 Subject: [PATCH] Validate Secret on Get --- helper/resource_get.go | 41 +++++++++++------------------------------ 1 file changed, 11 insertions(+), 30 deletions(-) diff --git a/helper/resource_get.go b/helper/resource_get.go index 64fcc1f..36c8498 100644 --- a/helper/resource_get.go +++ b/helper/resource_get.go @@ -37,23 +37,24 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret ctx := context.TODO() + rawSecretData, err := c.DecryptMessage(secret.Data) + if err != nil { + return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err) + } + + err = validateSecretData(&rType, rawSecretData) + if err != nil { + return "", "", "", "", "", "", fmt.Errorf("Validate Secret Data: %w", err) + } + switch rType.Slug { case "password-string": - var err error - pw, err = c.DecryptMessage(secret.Data) - if err != nil { - return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err) - } + pw = rawSecretData name = resource.Name username = resource.Username uri = resource.URI desc = resource.Description case "password-and-description": - rawSecretData, err := c.DecryptMessage(secret.Data) - if err != nil { - return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err) - } - var secretData api.SecretDataTypePasswordAndDescription err = json.Unmarshal([]byte(rawSecretData), &secretData) if err != nil { @@ -65,11 +66,6 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret pw = secretData.Password desc = secretData.Description case "password-description-totp": - rawSecretData, err := c.DecryptMessage(secret.Data) - if err != nil { - return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err) - } - var secretData api.SecretDataTypePasswordDescriptionTOTP err = json.Unmarshal([]byte(rawSecretData), &secretData) if err != nil { @@ -103,11 +99,6 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret uri = metadata.URIs[0] } - rawSecretData, err := c.DecryptMessage(secret.Data) - if err != nil { - return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err) - } - var secretData api.SecretDataTypeV5Default err = json.Unmarshal([]byte(rawSecretData), &secretData) if err != nil { @@ -133,11 +124,6 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret uri = metadata.URIs[0] } - rawSecretData, err := c.DecryptMessage(secret.Data) - if err != nil { - return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err) - } - var secretData api.SecretDataTypeV5DefaultWithTOTP err = json.Unmarshal([]byte(rawSecretData), &secretData) if err != nil { @@ -166,11 +152,6 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret // Not available in the Secret desc = metadata.Description - rawSecretData, err := c.DecryptMessage(secret.Data) - if err != nil { - return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err) - } - pw = rawSecretData case "v5-totp-standalone": rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType)