From 39a7234d2e3c1714d65f310c4290ce401bb85bfe Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Mon, 3 Mar 2025 18:02:30 +0000
Subject: [PATCH] Prevent accidental credential misuse during tests.

---
 packages/server/src/integrations/dynamodb.ts  | 19 ++++++-------------
 .../src/integrations/tests/dynamodb.spec.ts   | 17 +++++++++++++++--
 packages/server/src/tests/jestSetup.ts        |  6 ++++++
 packages/worker/src/tests/jestSetup.ts        |  9 +++++++--
 4 files changed, 34 insertions(+), 17 deletions(-)

diff --git a/packages/server/src/integrations/dynamodb.ts b/packages/server/src/integrations/dynamodb.ts
index 6d8ae1c1c2..cfaa851cea 100644
--- a/packages/server/src/integrations/dynamodb.ts
+++ b/packages/server/src/integrations/dynamodb.ts
@@ -14,7 +14,7 @@ import {
   UpdateCommandInput,
   DeleteCommandInput,
 } from "@aws-sdk/lib-dynamodb"
-import { DynamoDB } from "@aws-sdk/client-dynamodb"
+import { DynamoDB, DynamoDBClientConfig } from "@aws-sdk/client-dynamodb"
 import { AWS_REGION } from "../constants"
 
 export interface DynamoDBConfig {
@@ -22,7 +22,6 @@ export interface DynamoDBConfig {
   accessKeyId: string
   secretAccessKey: string
   endpoint?: string
-  currentClockSkew?: boolean
 }
 
 const SCHEMA: Integration = {
@@ -139,21 +138,15 @@ const SCHEMA: Integration = {
 }
 
 export class DynamoDBIntegration implements IntegrationBase {
-  private config: DynamoDBConfig
+  private config: DynamoDBClientConfig
   private client: DynamoDBDocument
 
   constructor(config: DynamoDBConfig) {
-    this.config = config
-
-    // User is using a local dynamoDB endpoint, don't auth with remote
-    if (this.config?.endpoint?.includes("localhost")) {
-      // @ts-ignore
-      this.config = {}
-    }
-
     this.config = {
-      ...this.config,
-      currentClockSkew: true,
+      credentials: {
+        accessKeyId: config.accessKeyId,
+        secretAccessKey: config.secretAccessKey,
+      },
       region: config.region || AWS_REGION,
       endpoint: config.endpoint || undefined,
     }
diff --git a/packages/server/src/integrations/tests/dynamodb.spec.ts b/packages/server/src/integrations/tests/dynamodb.spec.ts
index f7aafc6932..e6b1ed405c 100644
--- a/packages/server/src/integrations/tests/dynamodb.spec.ts
+++ b/packages/server/src/integrations/tests/dynamodb.spec.ts
@@ -1,7 +1,11 @@
 import { Datasource } from "@budibase/types"
 import { DynamoDBConfig, DynamoDBIntegration } from "../dynamodb"
 import { DatabaseName, datasourceDescribe } from "./utils"
-import { CreateTableCommandInput, DynamoDB } from "@aws-sdk/client-dynamodb"
+import {
+  CreateTableCommandInput,
+  DynamoDB,
+  DynamoDBClientConfig,
+} from "@aws-sdk/client-dynamodb"
 
 const describes = datasourceDescribe({ only: [DatabaseName.DYNAMODB] })
 
@@ -38,7 +42,16 @@ if (describes.length > 0) {
         rawDatasource.config! as DynamoDBConfig
       )
 
-      const client = new DynamoDB(rawDatasource.config as DynamoDBConfig)
+      const config: DynamoDBClientConfig = {
+        credentials: {
+          accessKeyId: "test",
+          secretAccessKey: "test",
+        },
+        region: "us-east-1",
+        endpoint: rawDatasource.config!.endpoint,
+      }
+
+      const client = new DynamoDB(config)
       await createTable(client, {
         TableName: table,
         KeySchema: [{ AttributeName: "Id", KeyType: "HASH" }],
diff --git a/packages/server/src/tests/jestSetup.ts b/packages/server/src/tests/jestSetup.ts
index 60cf96cb51..663f0482ab 100644
--- a/packages/server/src/tests/jestSetup.ts
+++ b/packages/server/src/tests/jestSetup.ts
@@ -3,6 +3,12 @@ import * as matchers from "jest-extended"
 import { env as coreEnv, timers } from "@budibase/backend-core"
 import { testContainerUtils } from "@budibase/backend-core/tests"
 import nock from "nock"
+import AWS from "aws-sdk"
+
+// Prevent accidental use of real AWS credentials
+AWS.config.update({
+  credentialProvider: new AWS.CredentialProviderChain([]),
+})
 
 expect.extend(matchers)
 if (!process.env.CI) {
diff --git a/packages/worker/src/tests/jestSetup.ts b/packages/worker/src/tests/jestSetup.ts
index 6a98031d34..682b92e1c3 100644
--- a/packages/worker/src/tests/jestSetup.ts
+++ b/packages/worker/src/tests/jestSetup.ts
@@ -2,18 +2,23 @@ import { mocks, testContainerUtils } from "@budibase/backend-core/tests"
 import env from "../environment"
 import { env as coreEnv, timers } from "@budibase/backend-core"
 import nock from "nock"
+import AWS from "aws-sdk"
 
 // mock all dates to 2020-01-01T00:00:00.000Z
 // use tk.reset() to use real dates in individual tests
 import tk from "timekeeper"
 
+// Prevent accidental use of real AWS credentials
+AWS.config.update({
+  credentialProvider: new AWS.CredentialProviderChain([]),
+})
+
 nock.disableNetConnect()
 nock.enableNetConnect(host => {
   return (
     host.includes("localhost") ||
     host.includes("127.0.0.1") ||
-    host.includes("::1") ||
-    host.includes("ethereal.email") // used in realEmail.spec.ts
+    host.includes("::1")
   )
 })