Skip to content

Commit

Permalink
Merge commit from fork
Browse files Browse the repository at this point in the history
fix(security): clear env vars
  • Loading branch information
fiftin committed Oct 21, 2024
2 parents 089a10a + 5822ed1 commit 06b52b1
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 43 deletions.
2 changes: 1 addition & 1 deletion db_lib/AnsiblePlaybook.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ func (p AnsiblePlaybook) makeCmd(command string, args []string, environmentVars
cmd := exec.Command(command, args...) //nolint: gas
cmd.Dir = p.GetFullPath()

cmd.Env = removeSensitiveEnvs(os.Environ())
cmd.Env = []string{}

cmd.Env = append(cmd.Env, fmt.Sprintf("HOME=%s", util.Config.TmpPath))
cmd.Env = append(cmd.Env, fmt.Sprintf("PWD=%s", cmd.Dir))
Expand Down
34 changes: 0 additions & 34 deletions db_lib/LocalApp.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,44 +2,10 @@ package db_lib

import (
"os"
"strings"

"github.com/ansible-semaphore/semaphore/pkg/task_logger"
)

func isSensitiveVar(v string) bool {
sensitives := []string{
"SEMAPHORE_ACCESS_KEY_ENCRYPTION",
"SEMAPHORE_ADMIN_PASSWORD",
"SEMAPHORE_DB_USER",
"SEMAPHORE_DB_NAME",
"SEMAPHORE_DB_HOST",
"SEMAPHORE_DB_PASS",
"SEMAPHORE_LDAP_PASSWORD",
"SEMAPHORE_RUNNER_TOKEN",
"SEMAPHORE_RUNNER_ID",
}

for _, s := range sensitives {
if strings.HasPrefix(v, s+"=") {
return true
}
}

return false
}

func removeSensitiveEnvs(envs []string) (res []string) {

for _, e := range envs {
if !isSensitiveVar(e) {
res = append(res, e)
}
}

return res
}

type LocalApp interface {
SetLogger(logger task_logger.Logger) task_logger.Logger
InstallRequirements(environmentVars *[]string) error
Expand Down
9 changes: 5 additions & 4 deletions db_lib/ShellApp.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,14 @@ package db_lib

import (
"fmt"
"github.com/ansible-semaphore/semaphore/db"
"github.com/ansible-semaphore/semaphore/pkg/task_logger"
"github.com/ansible-semaphore/semaphore/util"
"os"
"os/exec"
"strings"
"time"

"github.com/ansible-semaphore/semaphore/db"
"github.com/ansible-semaphore/semaphore/pkg/task_logger"
"github.com/ansible-semaphore/semaphore/util"
)

type ShellApp struct {
Expand Down Expand Up @@ -44,7 +45,7 @@ func (t *ShellApp) makeCmd(command string, args []string, environmentVars *[]str
cmd := exec.Command(command, args...) //nolint: gas
cmd.Dir = t.GetFullPath()

cmd.Env = removeSensitiveEnvs(os.Environ())
cmd.Env = []string{}
cmd.Env = append(cmd.Env, fmt.Sprintf("HOME=%s", util.Config.TmpPath))
cmd.Env = append(cmd.Env, fmt.Sprintf("PWD=%s", cmd.Dir))

Expand Down
9 changes: 5 additions & 4 deletions db_lib/TerraformApp.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,15 @@ package db_lib

import (
"fmt"
"github.com/ansible-semaphore/semaphore/db"
"github.com/ansible-semaphore/semaphore/pkg/task_logger"
"github.com/ansible-semaphore/semaphore/util"
"os"
"os/exec"
"path"
"strings"
"time"

"github.com/ansible-semaphore/semaphore/db"
"github.com/ansible-semaphore/semaphore/pkg/task_logger"
"github.com/ansible-semaphore/semaphore/util"
)

type TerraformApp struct {
Expand Down Expand Up @@ -37,7 +38,7 @@ func (t *TerraformApp) makeCmd(command string, args []string, environmentVars *[
cmd := exec.Command(command, args...) //nolint: gas
cmd.Dir = t.GetFullPath()

cmd.Env = removeSensitiveEnvs(os.Environ())
cmd.Env = []string{}
cmd.Env = append(cmd.Env, fmt.Sprintf("HOME=%s", util.Config.TmpPath))
cmd.Env = append(cmd.Env, fmt.Sprintf("PWD=%s", cmd.Dir))

Expand Down

0 comments on commit 06b52b1

Please sign in to comment.