Skip to content

test: add regression tests for config secrets protection #11061

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 17, 2025
Merged

test: add regression tests for config secrets protection #11061

merged 1 commit into from
Nov 17, 2025

Conversation

@lidel
Copy link
Member

@lidel lidel commented Nov 16, 2025

This PR closes the gap and adds extra test coverage for security-sensitive config settings:

Identity.PrivKey protection:

  • PrivKey concealed in ipfs config show
  • PrivKey cannot be read via ipfs config Identity.PrivKey or ipfs config Identity
  • PrivKey cannot be set via ipfs config replace
  • PrivKey preserved when re-injecting config without it

TLS security validation:

  • AutoConf.TLSInsecureSkipVerify defaults to false (secure)
  • HTTPRetrieval.TLSInsecureSkipVerify defaults to false (secure)
  • both settings can be explicitly enabled when needed

No code changes, as all tests pass. This is just a precaution for future refactors.

@lidel
test: add regression tests for config secrets protection
febe398 
adds critical test coverage for security-sensitive config settings:

Identity.PrivKey protection:
- PrivKey concealed in `ipfs config show`
- PrivKey cannot be read via `ipfs config Identity.PrivKey` or `ipfs config Identity`
- PrivKey cannot be set via `ipfs config replace`
- PrivKey preserved when re-injecting config without it

TLS security validation:
- AutoConf.TLSInsecureSkipVerify defaults to false (secure)
- HTTPRetrieval.TLSInsecureSkipVerify defaults to false (secure)
- both settings can be explicitly enabled when needed

all tests pass (9/9)
@lidel lidel requested a review from a team as a code owner November 16, 2025 16:51
@lidel lidel added the skip/changelog This change does NOT require a changelog entry label Nov 16, 2025
@lidel lidel merged commit 597f2b8 into master Nov 17, 2025
17 checks passed
@lidel lidel deleted the test/config-secrets-coverage branch November 17, 2025 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip/changelog This change does NOT require a changelog entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lidel