Check for prohibited words in non-secure field

connector-packager/CHANGELOG.md

@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.1.1] - 8/29/2025
+- Add checks for secure field violations
+
 ## [2.1.0] - 5/8/2020
 - Add support for packaging connectors using connection dialogs v2
 

connector-packager/connector_packager/xsd_validator.py

@@ -19,6 +19,7 @@
 PLATFORM_FIELD_NAMES = ['server', 'port', 'sslmode', 'authentication', 'username', 'password', 'instanceurl', 'vendor1', 'vendor2', 'vendor3']
 VENDOR_FIELD_NAMES = ['vendor1', 'vendor2', 'vendor3']
 VENDOR_FIELD_NAME_PREFIX = 'v-'
+VENDOR_FIELD_PROHIBITED_WORDS = ['token', 'secret', 'password']
 
 # Holds the mapping between file type and XSD file name
 XSD_DICT = {
@@ -196,10 +197,18 @@ def validate_file_specific_rules_connection_fields(file_to_test: ConnectorFile,
     root = xml_tree.getroot()
 
     for child in root.iter('field'):
+
         if 'name' in child.attrib:
             field_name = child.attrib['name']
+            display_name = child.attrib['label']
             properties.connection_fields.append(field_name)
 
+            # Only password is allowed to be secure
+            field_marked_secure = child.attrib.get('secure','false') == 'true'
+            if field_marked_secure and field_name != 'password':
+                xml_violations_buffer.append(field_name + " cannot be marked as secure: Only 'password' field can be marked as secure")
+                return False
+
             if field_name in VENDOR_FIELD_NAMES or field_name.startswith(VENDOR_FIELD_NAME_PREFIX):
                 properties.vendor_defined_fields.append(field_name)
 
@@ -227,6 +236,20 @@ def validate_file_specific_rules_connection_fields(file_to_test: ConnectorFile,
                                                     "of documentation for more information.")
                     return False
 
+            if not field_marked_secure:
+                for word in VENDOR_FIELD_PROHIBITED_WORDS:
+                    if word in field_name.lower():
+                        xml_violations_buffer.append(field_name + " is not marked as secure and contains prohibited word '" + word + "'. The values of non-secure fields will be logged in plain text.")
+                        return False
+
+                if display_name is not None:
+                    for word in VENDOR_FIELD_PROHIBITED_WORDS:
+                        if word in display_name.lower():
+                            xml_violations_buffer.append(field_name + " is not marked as secure and contains prohibited word '" + word + "' in the display name: " + display_name + ". The values of non-secure fields will be logged in plain text.")
+                            return False
+
+
+
             field_names.add(field_name)
 
         if 'category' in child.attrib:

connector-packager/tests/test_resources/field_name_validation/invalid/non_password_secure_field/connectionFields.xml

@@ -0,0 +1,10 @@
+<connection-fields>
+  <field name="authentication" label="Authentication" category="authentication" value-type="string" editable="false" default-value="auth-user-pass" />
+
+  <!-- -  Field marked as secure that is not pasword -->
+  <field label='SecureField' name='v-very-secure'
+          value-type='string' default-value='' optional='true'
+          secure='true' category='advanced'>
+  </field>
+
+</connection-fields>

connector-packager/tests/test_resources/field_name_validation/invalid/prohibited_word/connectionFields.xml

@@ -0,0 +1,10 @@
+<connection-fields>
+  <field name="authentication" label="Authentication" category="authentication" value-type="string" editable="false" default-value="auth-user-pass" />
+
+  <!-- -  has banned word in field name -->
+  <field label='Epic' name='v-epic-password'
+          value-type='string' default-value='' optional='true'
+          secure='false' category='advanced'>
+  </field>
+
+</connection-fields>

connector-packager/tests/test_resources/field_name_validation/invalid/prohibited_word_label/connectionFields.xml

@@ -0,0 +1,10 @@
+<connection-fields>
+  <field name="authentication" label="Authentication" category="authentication" value-type="string" editable="false" default-value="auth-user-pass" />
+
+  <!-- -  has banned word in field label -->
+  <field label='EpicPassword' name='v-epic'
+          value-type='string' default-value='' optional='true'
+          secure='false' category='advanced'>
+  </field>
+
+</connection-fields>

connector-packager/tests/test_xsd_validator.py

@@ -266,6 +266,21 @@ def test_validate_connection_field_name(self):
         self.assertFalse(validate_single_file(file_to_test, test_file, xml_violations_buffer, dummy_properties),
                          "XML Validation failed for connectionFields.xml")
 
+        print("Test connectionFields is invalidated by non-password field marked secure")
+        test_file = TEST_FOLDER / "field_name_validation/invalid/non_password_secure_field/connectionFields.xml"
+        self.assertFalse(validate_single_file(file_to_test, test_file, xml_violations_buffer, dummy_properties),
+                         "XML Validation failed for connectionFields.xml")
+
+        print("Test connectionFields is invalidated by non-secure field containing prohibited word")
+        test_file = TEST_FOLDER / "field_name_validation/invalid/prohibited_word/connectionFields.xml"
+        self.assertFalse(validate_single_file(file_to_test, test_file, xml_violations_buffer, dummy_properties),
+                         "XML Validation failed for connectionFields.xml")
+
+        print("Test connectionFields is invalidated by non-secure field containing prohibited word in label")
+        test_file = TEST_FOLDER / "field_name_validation/invalid/prohibited_word_label/connectionFields.xml"
+        self.assertFalse(validate_single_file(file_to_test, test_file, xml_violations_buffer, dummy_properties),
+                         "XML Validation failed for connectionFields.xml")
+
         logging.debug("test_validate_connetion_field_name xml violations:")
         for violation in xml_violations_buffer:
             logging.debug(violation)