Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3ee667f

Browse files
committed
provisioner: don't pass CODER_ variables
1 parent0a5e554 commit3ee667f

File tree

3 files changed

+112
-2
lines changed

3 files changed

+112
-2
lines changed

‎provisioner/terraform/executor.go

Lines changed: 36 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,41 @@ func (e executor) basicEnv() []string {
4141
returnenv
4242
}
4343

44+
funcenvName(envstring)string {
45+
parts:=strings.Split(env,"=")
46+
47+
iflen(parts)>0 {
48+
returnparts[0]
49+
}
50+
return""
51+
}
52+
53+
// sanitizeCoderEnv removes CODER_ environment variables to prevent accidentally
54+
// passing in secrets. See https://github.com/coder/coder/issues/4635.
55+
funcsanitizeCoderEnv(env []string) []string {
56+
varcoderSafeEnv=map[string]struct{}{
57+
"CODER_AGENT_URL": {},
58+
"CODER_WORKSPACE_TRANSITION": {},
59+
"CODER_WORKSPACE_NAME": {},
60+
"CODER_WORKSPACE_OWNER": {},
61+
"CODER_WORKSPACE_OWNER_EMAIL": {},
62+
"CODER_WORKSPACE_ID": {},
63+
"CODER_WORKSPACE_OWNER_ID": {},
64+
}
65+
66+
strippedEnv:=make([]string,0,len(env))
67+
for_,e:=rangeenv {
68+
name:=envName(e)
69+
ifstrings.HasPrefix(name,"CODER_") {
70+
if_,isSafe:=coderSafeEnv[name];!isSafe {
71+
continue
72+
}
73+
}
74+
strippedEnv=append(strippedEnv,e)
75+
}
76+
returnstrippedEnv
77+
}
78+
4479
func (eexecutor)execWriteOutput(ctx,killCtx context.Context,args,env []string,stdOutWriter,stdErrWriter io.WriteCloser) (errerror) {
4580
deferfunc() {
4681
closeErr:=stdOutWriter.Close()
@@ -59,7 +94,7 @@ func (e executor) execWriteOutput(ctx, killCtx context.Context, args, env []stri
5994
// #nosec
6095
cmd:=exec.CommandContext(killCtx,e.binaryPath,args...)
6196
cmd.Dir=e.workdir
62-
cmd.Env=env
97+
cmd.Env=sanitizeCoderEnv(env)
6398

6499
// We want logs to be written in the correct order, so we wrap all logging
65100
// in a sync.Mutex.

‎provisioner/terraform/provision.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -189,6 +189,8 @@ func provisionVars(start *proto.Provision_Start) ([]string, error) {
189189

190190
funcprovisionEnv(start*proto.Provision_Start) ([]string,error) {
191191
env:=os.Environ()
192+
// Be sure to add any values here to `sanitizeCoderEnv`, otherwise they will not
193+
// get passed into the execute.
192194
env=append(env,
193195
"CODER_AGENT_URL="+start.Metadata.CoderUrl,
194196
"CODER_WORKSPACE_TRANSITION="+strings.ToLower(start.Metadata.WorkspaceTransition.String()),

‎provisioner/terraform/provision_test.go

Lines changed: 74 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -415,7 +415,7 @@ func TestProvision(t *testing.T) {
415415
// nolint:paralleltest
416416
funcTestProvision_ExtraEnv(t*testing.T) {
417417
// #nosec
418-
secretValue:="oinae3uinxase"
418+
constsecretValue="oinae3uinxase"
419419
t.Setenv("TF_LOG","INFO")
420420
t.Setenv("TF_SUPERSECRET",secretValue)
421421

@@ -459,3 +459,76 @@ func TestProvision_ExtraEnv(t *testing.T) {
459459
}
460460
require.True(t,found)
461461
}
462+
463+
// nolint:paralleltest
464+
funcTestProvision_SafeEnv(t*testing.T) {
465+
// #nosec
466+
const (
467+
passedValue="superautopets"
468+
secretValue="oinae3uinxase"
469+
)
470+
471+
t.Setenv("VALID_USER_ENV",passedValue)
472+
473+
// We ensure random CODER_ variables aren't passed through to avoid leaking
474+
// control plane secrets (e.g. PG URL).
475+
t.Setenv("CODER_SECRET",secretValue)
476+
477+
constechoResource=`
478+
resource "null_resource" "a" {
479+
provisioner "local-exec" {
480+
command = "env"
481+
}
482+
}
483+
484+
`
485+
486+
ctx,api:=setupProvisioner(t,nil)
487+
488+
directory:=t.TempDir()
489+
path:=filepath.Join(directory,"main.tf")
490+
err:=os.WriteFile(path, []byte(echoResource),0o600)
491+
require.NoError(t,err)
492+
493+
request:=&proto.Provision_Request{
494+
Type:&proto.Provision_Request_Start{
495+
Start:&proto.Provision_Start{
496+
Directory:directory,
497+
Metadata:&proto.Provision_Metadata{
498+
WorkspaceTransition:proto.WorkspaceTransition_START,
499+
},
500+
},
501+
},
502+
}
503+
response,err:=api.Provision(ctx)
504+
require.NoError(t,err)
505+
err=response.Send(request)
506+
require.NoError(t,err)
507+
var (
508+
foundUserEnv=false
509+
// Some CODER_ environment variables used by our Terraform provider
510+
// must make it through.
511+
foundCoderEnv=false
512+
)
513+
for {
514+
msg,err:=response.Recv()
515+
require.NoError(t,err)
516+
517+
iflog:=msg.GetLog();log!=nil {
518+
t.Log(log.Level.String(),log.Output)
519+
ifstrings.Contains(log.Output,passedValue) {
520+
foundUserEnv=true
521+
}
522+
ifstrings.Contains(log.Output,"CODER_") {
523+
foundCoderEnv=true
524+
}
525+
require.NotContains(t,log.Output,secretValue)
526+
}
527+
ifc:=msg.GetComplete();c!=nil {
528+
require.Empty(t,c.Error)
529+
break
530+
}
531+
}
532+
require.True(t,foundUserEnv)
533+
require.True(t,foundCoderEnv)
534+
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp