Check that individual proxy configurations are objects

Author: mbg

lib/start-proxy.js

@@ -6,6 +6,9 @@ import { setupTests } from "./testing-utils";
 
 setupTests(test);
 
+const toEncodedJSON = (data: any) =>
+  Buffer.from(JSON.stringify(data)).toString("base64");
+
 test("getCredentials prefers registriesCredentials over registrySecrets", async (t) => {
   const registryCredentials = Buffer.from(
     JSON.stringify([
@@ -46,6 +49,25 @@ test("getCredentials throws an error when configurations are not an array", asyn
   );
 });
 
+test("getCredentials throws error when credential is not an object", async (t) => {
+  const testCredentials = [["foo"], [null]].map(toEncodedJSON);
+
+  for (const testCredential of testCredentials) {
+    t.throws(
+      () =>
+        startProxyExports.getCredentials(
+          getRunnerLogger(true),
+          undefined,
+          testCredential,
+          undefined,
+        ),
+      {
+        message: "Invalid credentials - must be an object",
+      },
+    );
+  }
+});
+
 test("getCredentials throws error when credential missing host and url", async (t) => {
   const registryCredentials = Buffer.from(
     JSON.stringify([{ type: "npm_registry", token: "abc" }]),

lib/start-proxy.js.map

@@ -72,6 +72,10 @@ export function getCredentials(
 
   const out: Credential[] = [];
   for (const e of parsed) {
+    if (e === null || typeof e !== "object") {
+      throw new ConfigurationError("Invalid credentials - must be an object");
+    }
+
     // Mask credentials to reduce chance of accidental leakage in logs.
     if (e.password !== undefined) {
       core.setSecret(e.password);