Skip to content

Commit a440d99

Browse files
DrJosh9000DrJosh9000
authored
Merge pull request #3957 from buildkite/comments-on-env-files
internal: Add comments about env files
2 parents 74a33d1 + 214bb7b commit a440d99

1 file changed

Lines changed: 18 additions & 1 deletion

File tree

agent/job_runner.go

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -492,6 +492,15 @@ BUILDKITE_AGENT_JWKS_KEY_ID`
492492
}
493493

494494
for key, value := range env {
495+
// Note that the value below is %q-quoted, and not shell-escaped.
496+
// Env files are designed to be validated by the pre-bootstrap hook.
497+
// Because the job env may contain untrusted or even dangerous env
498+
// vars (suppose a user adds an env var in the "New Build" UI with a
499+
// value that exploits a command injection in Bash), the
500+
// pre-bootstrap hook should do this validation *without* sourcing
501+
// the file. (If the job env was universally safe, then we wouldn't
502+
// bother using a file - we'd load it straight into the subprocess
503+
// env.)
495504
if _, err := fmt.Fprintf(r.envShellFile, "%s=%q\n", key, value); err != nil {
496505
return nil, err
497506
}
@@ -501,6 +510,8 @@ BUILDKITE_AGENT_JWKS_KEY_ID`
501510
}
502511
}
503512
if r.envJSONFile != nil {
513+
// key="value" format can be difficult to parse in some circumstances,
514+
// so we also have a JSON formatted env file.
504515
if err := json.NewEncoder(r.envJSONFile).Encode(env); err != nil {
505516
return nil, err
506517
}
@@ -783,7 +794,13 @@ func (r *JobRunner) executePreBootstrapHook(ctx context.Context, hook string) (b
783794

784795
// This (plus inherited) is the only ENV that should be exposed
785796
// to the pre-bootstrap hook.
786-
// - Env files are designed to be validated by the pre-bootstrap hook
797+
// - Env files are designed to be validated by the pre-bootstrap hook.
798+
// Because the job env may contain untrusted or even dangerous env vars
799+
// (suppose a user adds an env var in the "New Build" UI with a value that
800+
// exploits a command injection in Bash), the pre-bootstrap hook should do
801+
// this validation *without* sourcing the file. (If the job env was
802+
// universally safe to source, then we would just pre-populate this env
803+
// with it.)
787804
// - The pre-bootstrap hook may want to create annotations, so it can also
788805
// have a few necessary and global args as env vars.
789806
environ := envutil.New()

0 commit comments

Comments
 (0)