fix(deploy-tooling): prevent cleartext credentials in deploy configuration

longieirl · longieirl · commit 2ebe113b3a2e · 2026-04-09T12:59:42.000+01:00
diff --git a/.changeset/deploy-tooling-prevent-cleartext-credentials.md b/.changeset/deploy-tooling-prevent-cleartext-credentials.md
@@ -0,0 +1,5 @@
+---
+"@sap-ux/deploy-tooling": patch
+---
+
+fix(deploy-tooling): prevent cleartext credentials in deploy configuration
diff --git a/packages/deploy-tooling/src/base/config.ts b/packages/deploy-tooling/src/base/config.ts
@@ -49,6 +49,20 @@ function validateTarget(target: AbapTarget): AbapTarget {
     return target;
 }
 
+/**
+ * Validates that credentials are provided as environment variable references, not as plain text.
+ *
+ * @param credentials - credentials to validate
+ */
+function validateCredentials(credentials: AbapDeployConfig['credentials']): void {
+    const isEnvRef = (value: string | undefined): boolean => !value || value.startsWith('env:');
+    if (credentials && (!isEnvRef(credentials.username) || !isEnvRef(credentials.password))) {
+        throw new Error(
+            'Credentials must be provided as environment variable references (e.g. env:MY_VAR), not as plain text.'
+        );
+    }
+}
+
 /**
  * Type checking the config object.
  *
@@ -87,6 +101,9 @@ export function validateConfig(config: AbapDeployConfig | undefined, logger?: Lo
     if (!config.app) {
         throwConfigMissingError('app');
     }
+    if (config.credentials) {
+        validateCredentials(config.credentials);
+    }
 
     return config;
 }
diff --git a/packages/deploy-tooling/test/unit/base/config.test.ts b/packages/deploy-tooling/test/unit/base/config.test.ts
@@ -131,5 +131,82 @@ describe('base/config', () => {
             expect(() => validateConfig(config)).not.toThrow();
             expect(config.app.package).toBe('$TMP');
         });
+
+        describe('validateCredentials', () => {
+            test('throws when username is plaintext (no env: prefix)', () => {
+                // given a config with a plaintext username
+                const config = {
+                    ...validConfig,
+                    credentials: { username: 'admin', password: 'env:MY_PASSWORD' }
+                } as AbapDeployConfig;
+
+                // when validateConfig is called
+                // then it throws with the expected message
+                expect(() => validateConfig(config)).toThrow(
+                    'Credentials must be provided as environment variable references'
+                );
+            });
+
+            test('throws when password is plaintext (no env: prefix)', () => {
+                // given a config with a plaintext password
+                const config = {
+                    ...validConfig,
+                    credentials: { username: 'env:MY_USER', password: 'secret' }
+                } as AbapDeployConfig;
+
+                // when validateConfig is called
+                // then it throws with the expected message
+                expect(() => validateConfig(config)).toThrow(
+                    'Credentials must be provided as environment variable references'
+                );
+            });
+
+            test('throws when both username and password are plaintext', () => {
+                // given a config with plaintext username and password
+                const config = {
+                    ...validConfig,
+                    credentials: { username: 'admin', password: 'secret' }
+                } as AbapDeployConfig;
+
+                // when validateConfig is called
+                // then it throws with the expected message
+                expect(() => validateConfig(config)).toThrow(
+                    'Credentials must be provided as environment variable references'
+                );
+            });
+
+            test('passes when both username and password use env: prefix', () => {
+                // given a config with env-referenced credentials
+                const config = {
+                    ...validConfig,
+                    credentials: { username: 'env:MY_USER', password: 'env:MY_PASSWORD' }
+                } as AbapDeployConfig;
+
+                // when validateConfig is called
+                // then it does not throw
+                expect(() => validateConfig(config)).not.toThrow();
+            });
+
+            test('passes when credentials are absent', () => {
+                // given a config without credentials
+                const config = { ...validConfig } as AbapDeployConfig;
+
+                // when validateConfig is called
+                // then it does not throw
+                expect(() => validateConfig(config)).not.toThrow();
+            });
+
+            test('passes when only username is set with env: prefix and password is absent', () => {
+                // given a config with only username set via env:
+                const config = {
+                    ...validConfig,
+                    credentials: { username: 'env:MY_USER' }
+                } as unknown as AbapDeployConfig;
+
+                // when validateConfig is called
+                // then it does not throw
+                expect(() => validateConfig(config)).not.toThrow();
+            });
+        });
     });
 });

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@sap-ux/deploy-tooling": patch
 +---
++
 +fix(deploy-tooling): prevent cleartext credentials in deploy configuration