Unset HELM_PLUGIN_* credentials after storing them locally

Copilot · aslafy-z · Copilot · commit 3f81785ffbed · 2025-09-30T08:26:49.000Z
Co-authored-by: aslafy-z &lt;8191198+aslafy-z@users.noreply.github.com&gt;
diff --git a/helm-git-plugin.sh b/helm-git-plugin.sh
@@ -121,10 +121,20 @@ setup_git_credentials() {
   if [ -n "${HELM_PLUGIN_USERNAME:-}" ] && [ -n "${HELM_PLUGIN_PASSWORD:-}" ]; then
     debug "Setting up git credentials using Helm-provided username and password"
 
+    # Store credentials in local variables before unsetting environment variables
+    HELM_GIT_USERNAME="${HELM_PLUGIN_USERNAME}"
+    HELM_GIT_PASSWORD="${HELM_PLUGIN_PASSWORD}"
+    export HELM_GIT_USERNAME
+    export HELM_GIT_PASSWORD
+
+    # Unset the original environment variables to prevent them from being passed to child processes
+    unset HELM_PLUGIN_USERNAME
+    unset HELM_PLUGIN_PASSWORD
+
     # Mark that credentials are available for git_cmd
     export HELM_GIT_USE_CREDENTIALS="1"
 
-    trace "Git credential helper configured with username: ${HELM_PLUGIN_USERNAME}"
+    trace "Git credential helper configured with username: ${HELM_GIT_USERNAME}"
   else
     trace "No Helm plugin credentials found, using existing git authentication"
   fi
@@ -135,7 +145,7 @@ setup_git_credentials() {
 git_cmd() {
   if [ "${HELM_GIT_USE_CREDENTIALS:-}" = "1" ]; then
     # shellcheck disable=SC2016
-    GIT_USER="${HELM_PLUGIN_USERNAME}" GIT_PASSWORD="${HELM_PLUGIN_PASSWORD}" git -c credential.helper='!f() { echo "username=${GIT_USER}"; echo "password=${GIT_PASSWORD}"; }; f' "$@"
+    GIT_USER="${HELM_GIT_USERNAME}" GIT_PASSWORD="${HELM_GIT_PASSWORD}" git -c credential.helper='!f() { echo "username=${GIT_USER}"; echo "password=${GIT_PASSWORD}"; }; f' "$@"
   else
     git "$@"
   fi
diff --git a/tests/07-credentials.bats b/tests/07-credentials.bats
@@ -23,11 +23,17 @@ setup_file() {
     # Check that HELM_GIT_USE_CREDENTIALS is set to enable git_cmd wrapper
     [[ "$output" == *"HELM_GIT_USE_CREDENTIALS=1"* ]]
 
-    # Check that the global GIT_USER and GIT_PASSWORD are not set (they should not be exported globally)
-    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && setup_git_credentials && echo "GIT_USER=${GIT_USER:-unset}" && echo "GIT_PASSWORD=${GIT_PASSWORD:-unset}"'
+    # Check that the original HELM_PLUGIN_* variables are unset for security
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && setup_git_credentials && echo "HELM_PLUGIN_USERNAME=${HELM_PLUGIN_USERNAME:-unset}" && echo "HELM_PLUGIN_PASSWORD=${HELM_PLUGIN_PASSWORD:-unset}"'
     [ $status = 0 ]
-    [[ "$output" == *"GIT_USER=unset"* ]]
-    [[ "$output" == *"GIT_PASSWORD=unset"* ]]
+    [[ "$output" == *"HELM_PLUGIN_USERNAME=unset"* ]]
+    [[ "$output" == *"HELM_PLUGIN_PASSWORD=unset"* ]]
+
+    # Check that the internal HELM_GIT_* variables are set
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && setup_git_credentials && echo "HELM_GIT_USERNAME=${HELM_GIT_USERNAME}" && echo "HELM_GIT_PASSWORD=${HELM_GIT_PASSWORD}"'
+    [ $status = 0 ]
+    [[ "$output" == *"HELM_GIT_USERNAME=testuser"* ]]
+    [[ "$output" == *"HELM_GIT_PASSWORD=testpass"* ]]
 }
 
 @test "should not setup git credentials when HELM_PLUGIN_USERNAME is missing" {
