From 848b710137f8f8cd5b1f7864974e6cbea7dd8b51 Mon Sep 17 00:00:00 2001 From: gjsjohnmurray Date: Wed, 28 Apr 2021 13:49:12 +0100 Subject: [PATCH] fix #84 Only supply credentials to Portal if password came as plaintext from settings --- CHANGELOG.md | 3 +++ src/api/getPortalUriWithCredentials.ts | 22 ++++++++++++---------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fd82d8b..cb6b875 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## 2.0.3 (28-Apr-2021) +* Only supply credentials to Portal if password came as plaintext from settings (#84). + ## 2.0.2 (22-Apr-2021) * Support Alt / Option modifier on Edit and View buttons to add workspace folder for server-side web application files. * Add newly defined server to the 'Recent' list. diff --git a/src/api/getPortalUriWithCredentials.ts b/src/api/getPortalUriWithCredentials.ts index 21347d1..d0e84ef 100644 --- a/src/api/getPortalUriWithCredentials.ts +++ b/src/api/getPortalUriWithCredentials.ts @@ -1,6 +1,6 @@ import * as vscode from 'vscode'; import { Uri } from 'vscode'; -import { extensionId } from '../extension'; +import { extensionId, ServerSpec } from '../extension'; export async function getPortalUriWithCredentials(name: string, scope?: vscode.ConfigurationScope): Promise { @@ -10,22 +10,24 @@ export async function getPortalUriWithCredentials(name: string, scope?: vscode.C if (typeof spec !== 'undefined') { const webServer = spec.webServer; let queryString = ''; + + // We can only pass credentials in cleartext as a queryparam, so only do this if user was willing to store password in cleartext in settings. + const settingsSpec: ServerSpec | undefined = vscode.workspace.getConfiguration('intersystems.servers', scope).get(name); + spec.password = settingsSpec?.password; - // At this point we don't know if the target is IRIS or Cache, so add credentials in both formats. - // Deliberately put password before username, otherwise it is visible in VS Code's confirmation dialog triggered target domain - // hasn't been set as trusted. Likewise, deliberately put IRIS* after Cache* - if (spec?.password) { + if (spec?.password && spec?.username) { + // At this point we don't know if the target is IRIS or Cache, so add credentials in both formats. + // Deliberately put password before username, otherwise it is visible in VS Code's confirmation dialog triggered target domain + // hasn't been set as trusted. Likewise, deliberately put IRIS* after Cache* const passwordEncoded = encodeURIComponent(spec.password); queryString += `&CachePassword=${passwordEncoded}&IRISPassword=${passwordEncoded}`; - } - if (spec?.username) { const usernameEncoded = encodeURIComponent(spec.username); queryString += `&CacheUsername=${usernameEncoded}&IRISUsername=${usernameEncoded}`; + + // Add a cache-buster and push any credentials offscreen + queryString = '_=' + new Date().getTime().toString().padEnd(480,' ') + queryString; } - // Add a dummy cache-buster and push the actual credentials offscreen - queryString = '_=' + new Date().getTime().toString().padEnd(480,' ') + queryString; - return vscode.Uri.parse(`${webServer.scheme}://${webServer.host}:${webServer.port}${webServer.pathPrefix}/csp/sys/UtilHome.csp?${queryString}`, true); } })