Skip to content

fix(deploy-tooling): prevent cleartext credentials in deploy configuration#4539

Open
longieirl wants to merge 4 commits intomainfrom
fix/issue-1156-prevent-cleartext-credentials
Open

fix(deploy-tooling): prevent cleartext credentials in deploy configuration#4539
longieirl wants to merge 4 commits intomainfrom
fix/issue-1156-prevent-cleartext-credentials

Conversation

@longieirl
Copy link
Copy Markdown
Contributor

@longieirl longieirl commented Apr 9, 2026

Summary

  • Add validateCredentials() guard in src/base/config.ts — throws if username or password is present but does not start with env:, ensuring credentials are always resolved from environment variables
  • Called from validateConfig() before replaceEnvVariables runs, covering both the CLI and UI5 task entry points
  • Parameter typed as NonNullable<AbapDeployConfig['credentials']> to eliminate redundant null guard inside the function

Closes #1156

Test plan

  • pnpm build passes
  • pnpm --filter @sap-ux/deploy-tooling lint passes (0 errors)
  • pnpm --filter @sap-ux/deploy-tooling test passes (126/126)
  • 6 new tests: plaintext username throws, plaintext password throws, both plaintext throws, both env: passes, absent credentials passes, only env-prefixed username passes
  • Changeset created: deploy-tooling-prevent-cleartext-credentials.md (patch)

@longieirl longieirl self-assigned this Apr 9, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 9, 2026
edited
Loading

🦋 Changeset detected

Latest commit: f8d81f7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sap-ux/deploy-tooling Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@longieirl longieirl marked this pull request as ready for review April 9, 2026 12:22
@longieirl longieirl requested a review from a team as a code owner April 9, 2026 12:22
@longieirl longieirl requested a review from lfindlaysap April 9, 2026 12:24
lfindlaysap
lfindlaysap requested changes Apr 10, 2026
View reviewed changes
Comment thread packages/deploy-tooling/src/base/config.ts Outdated
@longieirl @lfindlaysap
Apply suggestion from @lfindlaysap
a69cf2f 
Co-authored-by: Louise Findlay <louise.findlay@sap.com>
@longieirl longieirl requested a review from lfindlaysap April 10, 2026 09:41
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 10, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

mikicvi-SAP
mikicvi-SAP approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mikicvi-SAP mikicvi-SAP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @longieirl

  • Changes look good, plenty of tests
  • Changeset ✅
  • Did not test manually

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mikicvi-SAP mikicvi-SAP mikicvi-SAP approved these changes

@lfindlaysap lfindlaysap lfindlaysap approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

@longieirl longieirl

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TBI - ABAP deployment should prevent crendentials being entered in clear text

3 participants

@longieirl @mikicvi-SAP @lfindlaysap