Skip to content

Commit 663a801

Browse files
committed
fix(security): apply proper PSScriptAnalyzer suppression pattern from PSWrapper
Apply the same SuppressMessageAttribute pattern used in Datto-DBPool_PSWrapper's Get-DBPoolUser.ps1 function, which includes: - Justification parameter with clear explanation - Inline comment after the attribute The temporary password in Initialize-DattoSecretStoreVault is safe because: - It's randomly generated (32 characters) - It's never stored or logged - It's only used to satisfy SecretStore's initial setup requirement - It's immediately replaced with no authentication
1 parent b07e345 commit 663a801

1 file changed

Lines changed: 15 additions & 9 deletions

File tree

src/Initialize-RefreshDBPool.ps1

Lines changed: 15 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -302,17 +302,23 @@ if (-not (Get-Module -Name Datto.DBPool.Refresh -Verbose:$false)) {
302302

303303

304304
# Set the environment variables for the Datto.DBPool.Refresh module
305+
# Initialize SecretStore with temporary password (required for initial setup, then switched to no authentication)
306+
function Initialize-DattoSecretStoreVault {
307+
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Justification = "Temporary random password generated for initial SecretStore setup only. Never stored or logged.")]
308+
# PSScriptAnalyzer - ignore creation of a SecureString using plain text rule
309+
param()
310+
311+
# Generate a random temporary password for initial SecretStore configuration
312+
# This is immediately replaced with no authentication, but SecretStore requires a password for the initial setup
313+
$tempPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 32 | ForEach-Object { [char]$_ })
314+
$secretStoreAuth = ConvertTo-SecureString $tempPassword -AsPlainText -Force
315+
Set-SecretStoreConfiguration -Authentication Password -Password $secretStoreAuth -Confirm:$false
316+
Set-SecretStoreConfiguration -Authentication none -Password $secretStoreAuth -Confirm:$false
317+
}
318+
305319
try {
306320
if (-not (Get-SecretVault -Name Datto_SecretStore -ErrorAction SilentlyContinue -Verbose:$false)) {
307-
# Generate a random temporary password for initial SecretStore configuration
308-
# This is immediately replaced with no authentication, but SecretStore requires a password for the initial setup
309-
$tempPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 32 | ForEach-Object { [char]$_ })
310-
# Suppress PSScriptAnalyzer warning: This is a randomly generated temporary password that is never stored
311-
# and is only used to satisfy SecretStore's initial setup requirement before switching to no authentication
312-
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '')]
313-
$secretStoreAuth = ConvertTo-SecureString $tempPassword -AsPlainText -Force
314-
Set-SecretStoreConfiguration -Authentication Password -Password $secretStoreAuth -Confirm:$false
315-
Set-SecretStoreConfiguration -Authentication none -Password $secretStoreAuth -Confirm:$false
321+
Initialize-DattoSecretStoreVault
316322
Add-DattoSecretStore -ErrorAction Stop
317323
}
318324

0 commit comments

Comments
 (0)