Evaluate hasExtendedMetadata Liquid in secret-scanning render paths (#61622)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: aaronwaggener

src/article-api/tests/secret-scanning-transformer.test.ts

@@ -0,0 +1,78 @@
+import { describe, expect, test, vi, beforeEach } from 'vitest'
+
+import { SecretScanningTransformer } from '@/article-api/transformers/secret-scanning-transformer'
+import shortVersionsMiddleware from '@/versions/middleware/short-versions'
+import { allVersions } from '@/versions/lib/all-versions'
+import enterpriseServerReleases from '@/versions/lib/enterprise-server-releases'
+import { getSecretScanningData } from '@/secret-scanning/lib/get-secret-scanning-data'
+import type { Context, ExtendedRequest, Page, SecretScanningData } from '@/types'
+
+vi.mock('@/secret-scanning/lib/get-secret-scanning-data')
+vi.mock('@/article-api/lib/load-template', () => ({
+  loadTemplate: () => '{{ content }}',
+}))
+
+const ghesConditional = '{% ifversion ghes %}false{% else %}true{% endif %}'
+
+const makeEntry = (): SecretScanningData =>
+  ({
+    provider: 'Example',
+    supportedSecret: 'Example Token',
+    secretType: 'example_token',
+    versions: {},
+    isPublic: true,
+    isPrivateWithGhas: true,
+    hasPushProtection: true,
+    hasValidityCheck: ghesConditional,
+    hasExtendedMetadata: ghesConditional,
+    base64Supported: false,
+    isduplicate: false,
+  }) as SecretScanningData
+
+const stubPage = {
+  autogenerated: 'secret-scanning',
+  title: 'Test',
+  intro: '',
+  render: vi.fn().mockResolvedValue(''),
+  renderProp: vi.fn().mockResolvedValue(''),
+} as unknown as Page
+
+const buildContext = async (currentVersion: string): Promise<Context> => {
+  const req = { language: 'en', query: {} } as ExtendedRequest
+  req.context = { currentVersion, allVersions, enterpriseServerReleases } as Context
+  req.context.currentVersionObj = allVersions[currentVersion]
+  await shortVersionsMiddleware(req, null, () => {})
+  return req.context
+}
+
+describe('SecretScanningTransformer Liquid evaluation', () => {
+  const transformer = new SecretScanningTransformer()
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  const oldestGhes = enterpriseServerReleases.oldestSupported
+
+  test('resolves GHES conditionals to false on enterprise-server', async () => {
+    vi.mocked(getSecretScanningData).mockResolvedValue([makeEntry()])
+    const context = await buildContext(`enterprise-server@${oldestGhes}`)
+
+    await transformer.transform(stubPage, '/test', context)
+
+    expect(context.secretScanningData).toBeDefined()
+    expect(context.secretScanningData![0].hasValidityCheck).toBe(false)
+    expect(context.secretScanningData![0].hasExtendedMetadata).toBe(false)
+  })
+
+  test('resolves GHES conditionals to true on free-pro-team', async () => {
+    vi.mocked(getSecretScanningData).mockResolvedValue([makeEntry()])
+    const context = await buildContext('free-pro-team@latest')
+
+    await transformer.transform(stubPage, '/test', context)
+
+    expect(context.secretScanningData).toBeDefined()
+    expect(context.secretScanningData![0].hasValidityCheck).toBe(true)
+    expect(context.secretScanningData![0].hasExtendedMetadata).toBe(true)
+  })
+})

src/article-api/transformers/secret-scanning-transformer.ts

@@ -40,14 +40,24 @@ export class SecretScanningTransformer implements PageTransformer {
 
         // Process Liquid in values
         for (const entry of data) {
-          // Only process Liquid for the hasValidityCheck field, as in the middleware
+          // Process Liquid for the hasValidityCheck field, as in the middleware
           if (typeof entry.hasValidityCheck === 'string' && entry.hasValidityCheck.includes('{%')) {
             // Render Liquid and parse as YAML to get correct boolean type
             entry.hasValidityCheck = load(
               await liquid.parseAndRender(entry.hasValidityCheck, context),
             ) as boolean
           }
 
+          // Process Liquid for the hasExtendedMetadata field, as in the middleware
+          if (
+            typeof entry.hasExtendedMetadata === 'string' &&
+            entry.hasExtendedMetadata.includes('{%')
+          ) {
+            entry.hasExtendedMetadata = load(
+              await liquid.parseAndRender(entry.hasExtendedMetadata, context),
+            ) as boolean
+          }
+
           if (entry.isduplicate) {
             entry.secretType += ' <br/><a href="#token-versions">Token versions</a>'
           }

src/secret-scanning/middleware/secret-scanning.ts

@@ -48,9 +48,13 @@ export default async function secretScanning(
   // to execute that Liquid to get the actual value.
   for (const entry of req.context.secretScanningData) {
     for (const [key, value] of Object.entries(entry)) {
-      if (key === 'hasValidityCheck' && typeof value === 'string' && value.includes('{%')) {
+      if (
+        (key === 'hasValidityCheck' || key === 'hasExtendedMetadata') &&
+        typeof value === 'string' &&
+        value.includes('{%')
+      ) {
         const evaluated = yaml.load(await liquid.parseAndRender(value, req.context))
-        entry[key] = evaluated as string
+        entry[key] = evaluated as boolean | string
       }
     }
     if (entry.isduplicate) {

src/secret-scanning/tests/liquid-evaluation.ts

@@ -0,0 +1,67 @@
+import { describe, expect, test, vi, beforeEach } from 'vitest'
+import { readFileSync } from 'fs'
+import type { Response } from 'express'
+
+import secretScanning from '@/secret-scanning/middleware/secret-scanning'
+import shortVersionsMiddleware from '@/versions/middleware/short-versions'
+import { allVersions } from '@/versions/lib/all-versions'
+import enterpriseServerReleases from '@/versions/lib/enterprise-server-releases'
+import { getSecretScanningData } from '@/secret-scanning/lib/get-secret-scanning-data'
+import type { Context, ExtendedRequest, SecretScanningData } from '@/types'
+
+vi.mock('@/secret-scanning/lib/get-secret-scanning-data')
+
+const { targetFilename } = JSON.parse(
+  readFileSync('src/secret-scanning/lib/config.json', 'utf8'),
+) as { targetFilename: string }
+
+// Both hasValidityCheck and hasExtendedMetadata can be emitted by token-scanning-service
+// as a Liquid conditional that resolves to false on GHES and true elsewhere.
+const ghesConditional = '{% ifversion ghes %}false{% else %}true{% endif %}'
+
+const makeEntry = (): SecretScanningData =>
+  ({
+    provider: 'Example',
+    supportedSecret: 'Example Token',
+    secretType: 'example_token',
+    versions: {},
+    isPublic: true,
+    isPrivateWithGhas: true,
+    hasPushProtection: true,
+    hasValidityCheck: ghesConditional,
+    hasExtendedMetadata: ghesConditional,
+    base64Supported: false,
+    isduplicate: false,
+  }) as SecretScanningData
+
+const runMiddleware = async (currentVersion: string): Promise<SecretScanningData> => {
+  vi.mocked(getSecretScanningData).mockResolvedValue([makeEntry()])
+
+  const req = { language: 'en', query: {}, pagePath: `/en/${targetFilename}` } as ExtendedRequest
+  req.context = { currentVersion, allVersions, enterpriseServerReleases } as Context
+  req.context.currentVersionObj = allVersions[currentVersion]
+  await shortVersionsMiddleware(req, null, () => {})
+
+  await secretScanning(req, {} as Response, () => {})
+  return req.context.secretScanningData![0]
+}
+
+describe('secret-scanning middleware Liquid evaluation', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  const oldestSupportedGhes = enterpriseServerReleases.oldestSupported
+
+  test('resolves GHES conditionals to false on enterprise-server', async () => {
+    const entry = await runMiddleware(`enterprise-server@${oldestSupportedGhes}`)
+    expect(entry.hasValidityCheck).toBe(false)
+    expect(entry.hasExtendedMetadata).toBe(false)
+  })
+
+  test('resolves GHES conditionals to true on free-pro-team', async () => {
+    const entry = await runMiddleware('free-pro-team@latest')
+    expect(entry.hasValidityCheck).toBe(true)
+    expect(entry.hasExtendedMetadata).toBe(true)
+  })
+})

src/types/types.ts

@@ -280,7 +280,7 @@ export type SecretScanningData = {
   isPrivateWithGhas: boolean
   hasPushProtection: boolean
   hasValidityCheck: boolean | string
-  hasExtendedMetadata?: boolean
+  hasExtendedMetadata?: boolean | string
   base64Supported: boolean
   isduplicate: boolean
 }