From b58341a68b3c9786c9627d3315542b09dc125c7d Mon Sep 17 00:00:00 2001 From: moritzraho Date: Mon, 9 Feb 2026 14:41:48 +0100 Subject: [PATCH 1/3] fix: hide new include-ims-annotation secrets --- lib/common-templates/utils.js | 8 +++++++- lib/common-templates/utils.test.js | 7 +++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/common-templates/utils.js b/lib/common-templates/utils.js index a5c8829..bc8fd34 100644 --- a/lib/common-templates/utils.js +++ b/lib/common-templates/utils.js @@ -24,12 +24,18 @@ governing permissions and limitations under the License. * */ function stringParameters (params) { + // hide credentials from the include-ims-credentials annotation + let imsCredentials = params.__ims_oauth_s2s || {} + if (imsCredentials.client_secret) { + imsCredentials = { ...imsCredentials, client_secret: '' } + } // hide authorization token without overriding params let headers = params.__ow_headers || {} if (headers.authorization) { headers = { ...headers, authorization: '' } } - return JSON.stringify({ ...params, __ow_headers: headers }) + + return JSON.stringify({ ...params, __ow_headers: headers, __ims_oauth_s2s: imsCredentials }) } /** diff --git a/lib/common-templates/utils.test.js b/lib/common-templates/utils.test.js index 23da5a9..c89fd55 100644 --- a/lib/common-templates/utils.test.js +++ b/lib/common-templates/utils.test.js @@ -60,6 +60,13 @@ describe('stringParameters', () => { expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"authorization":""')) expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('secret')) }) + test('with ims credentials', () => { + const params = { + a: 1, b: 2, __ims_oauth_s2s: { client_id: 'fake-client-id', client_secret: 'secret', org_id: 'fake@AdobeOrg' } + } + expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"client_secret":""')) + expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('secret')) + }) }) describe('checkMissingRequestInputs', () => { From 0b6f4c588e04ed5a0e384c78a8d832d6bea83c4f Mon Sep 17 00:00:00 2001 From: moritzraho Date: Mon, 23 Feb 2026 16:54:10 +0100 Subject: [PATCH 2/3] fix review comments --- lib/common-templates/utils.js | 26 ++++++++++++++++---------- lib/common-templates/utils.test.js | 8 ++++---- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/lib/common-templates/utils.js b/lib/common-templates/utils.js index bc8fd34..9650b47 100644 --- a/lib/common-templates/utils.js +++ b/lib/common-templates/utils.js @@ -24,18 +24,24 @@ governing permissions and limitations under the License. * */ function stringParameters (params) { - // hide credentials from the include-ims-credentials annotation - let imsCredentials = params.__ims_oauth_s2s || {} - if (imsCredentials.client_secret) { - imsCredentials = { ...imsCredentials, client_secret: '' } + // shallow copy to not override first level references + const paramsShallowCopy = { ...params } + // hide credentials from the include-ims-credentials annotation without + // overriding fields in __ims_oauth_s2s + if (params.__ims_oauth_s2s?.client_secret) { + paramsShallowCopy.__ims_oauth_s2s = { + ...params.__ims_oauth_s2s, + client_secret: '' + } } - // hide authorization token without overriding params - let headers = params.__ow_headers || {} - if (headers.authorization) { - headers = { ...headers, authorization: '' } + // hide authorization token without overriding fields in __ow_headers + if (params.__ow_headers?.authorization) { + paramsShallowCopy.__ow_headers = { + ...params.__ow_headers, + authorization: '' + } } - - return JSON.stringify({ ...params, __ow_headers: headers, __ims_oauth_s2s: imsCredentials }) + return JSON.stringify(paramsShallowCopy) } /** diff --git a/lib/common-templates/utils.test.js b/lib/common-templates/utils.test.js index c89fd55..6a5d0c8 100644 --- a/lib/common-templates/utils.test.js +++ b/lib/common-templates/utils.test.js @@ -55,17 +55,17 @@ describe('stringParameters', () => { }) test('with auth header', () => { const params = { - a: 1, b: 2, __ow_headers: { 'x-api-key': 'fake-api-key', authorization: 'secret' } + a: 1, b: 2, __ow_headers: { 'x-api-key': 'fake-api-key', authorization: 'thesecret' } } expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"authorization":""')) - expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('secret')) + expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('thesecret')) }) test('with ims credentials', () => { const params = { - a: 1, b: 2, __ims_oauth_s2s: { client_id: 'fake-client-id', client_secret: 'secret', org_id: 'fake@AdobeOrg' } + a: 1, b: 2, __ims_oauth_s2s: { client_id: 'fake-client-id', client_secret: 'thesecret', org_id: 'fake@AdobeOrg' } } expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"client_secret":""')) - expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('secret')) + expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('thesecret')) }) }) From 118953c7e49da6a24c8f9b7b8695a898a2f97ca7 Mon Sep 17 00:00:00 2001 From: moritzraho Date: Mon, 23 Feb 2026 16:55:00 +0100 Subject: [PATCH 3/3] add a test --- lib/common-templates/utils.test.js | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/common-templates/utils.test.js b/lib/common-templates/utils.test.js index 6a5d0c8..a06e303 100644 --- a/lib/common-templates/utils.test.js +++ b/lib/common-templates/utils.test.js @@ -67,6 +67,14 @@ describe('stringParameters', () => { expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"client_secret":""')) expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('thesecret')) }) + test('with ims credentials and authorization header', () => { + const params = { + a: 1, b: 2, __ims_oauth_s2s: { client_id: 'fake-client-id', client_secret: 'thesecret', org_id: 'fake@AdobeOrg' }, __ow_headers: { authorization: 'thesecret' } + } + expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"client_secret":""')) + expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"authorization":""')) + expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('thesecret')) + }) }) describe('checkMissingRequestInputs', () => {