[KShare] Avoid leaking sensitive information from Global Variables (Execution Profiles)

:rotating_light: This is a security risk

"Can I store my profile somewhere else and still be able to access my projects and test cases?**

This is the question that we at Katalon Product Support team received from one of our enterprise users, who cares a lot about security and expect to have a security solutions from Katalon for their use case.

In the past, Katalon supported only a secured solution for users working with the Katalon Runtime Engine (KRE) by overriding the value of arguments in the execution command.

USERNAME_VAR =“John Doe”
PASSWORD_VAR =“ThisIsNotAPassword”
./katalonc -noSplash -runMode=console -projectPath=“/Users/linh.nguyen/git/katalon-premium-reavealed/Secured Profiles/Secure Profiles.prj” -retry=0 -testSuitePath=“Test Suites/KRE_Override_Arguments_TS” -browserType=“Chrome” -executionProfile=“default” -apiKey=“2658c724-2d3e-4f92-9dbe-f2645610****” -orgID=84*** --config -webui.autoUpdateDrivers=true -g_username=“${USERNAME_VAR }” -g_password=“${PASSWORD_VAR }”

For Katalon Studio, we will be discussing the available solutions that you might be applying and clarify the risks of them. Afterwards, we will provide you with a thoughtful solution.

1. The Unsecured Approaches

1.1. The first unsecured approach: Set the raw text

:information_source: This approach refers to this test case Unsecured Set Text

The downside with this approach is that the password could be exposed if you push it to an online repository such as GitHub.

1.2. The second unsecured approach: Set raw text in the Execution Profiles (Global Variables)

:information_source: This approach refers to this test case: **Unsecured Set Text with Profile

The downside with this approach is that, once again, the password could be exposed if you push it to an online repository such as GitHub.

1.3. The third unsecured approach: Use the encrypted text with the keyword WebUI.setEncryptedText

:information_source: This approach refers to this test case: **Unsecured Set Encrypted Text

The downside with this approach is that the password could still be decrypted easily.

1.4. The fourth unsecured approach: Set the Encrypted Text in the Execution Profiles (Global Variables)

:information_source: This approach refers to this test case: Unsecured Set Encrypted Text with Profile

The downside with this approach is that, similar to the third approach, the password could still be decrypted easily.

2. Are there any better solutions that we can apply to this case?

There are two custom keywords in advance for two different approaches, which may suit different needs.

2.1 The first secured approach - The "defineSecuredProfiles” keyword

How it works?

  1. Load variables from the execution profile file to the execution environment.

  2. Remove the execution profile file from the Git Repo (The file is still available in the local machine) (* )

  3. Add the execution profile to the Git Ignore file to prevent committing that file next time. (**)

:information_source: (*) (**): You should only follow these steps if your execution profile files are located in Katalon Projects’ “Profiles” folder.

2.2. The second secured approach - The “loadProfile” keyword

When you want to keep the execution profile files in the Git repository, use this keyword.

Also, this keyword is flexible to support different path formats, such as relative path, absolute path, and with/without file extension.

:information_source: // “./Profiles/secured_production_profile.glbl”

CustomKeywords.‘SecuredProfile.loadProfile’('secured_production_profile.glbl ')

→ If the selected profile exists in the Katalon Projects’ Profiles folder, the “Profiles” folder path can be omitted.

:information_source: // "./Custom Folder /secured_production_profile.glbl "

CustomKeywords.‘SecuredProfile.loadProfile’('Custom Folder/secured_production_profile ')

→ The keyword is helpful automatically append the file extension to your file name.

:information_source: // "C:/Users/me/Desktop/secured_production_profile.glbl "

CustomKeywords.‘SecuredProfile.loadProfile’(‘C:/Users/me/Desktop/secured_production_profile’)

An example for the absolute file path.

Our sample project here.


The Product Support team is happy to listen to you with more ideas, feedback and suggestion that you may have after this article.

3 Likes

Thank you Product Support team (@support.squad) as always for this insightful topic. And also a big shout-out to the two individuals below for your contribution to this topic:

Linh Nguyen Thong Tran
Linh Nguyen (@linh.nguyen) - Product Support Manager at Katalon Thong Tran (@thong.tran) - Senior Software Engineer at Katalon
Linh is the Product Support team Manager at Katalon. She spent many years working as an Automation Testing QA before joining Katalon Product Support as a technical support expert. Based on her experiences, she usually provides customers with highly applicable solutions. She now manages her team with a user-centric approach to guarantee customers greater success with Katalon Products. A passionate Katalon developer with a wealth of programming and testing expertise. Thong has been dedicated to providing exceptional enterprise support for the past five years, helping Katalon’s customers achieve their testing goals with ease.
1 Like

Do you have an idea for a topic that you would like the Product Supoprt team to cover in their next KShare article? Then share them with us by simply fill in the form below :point_down: