From 5822ed10fd5dbbfe35ec9cfcb2380f99c06a500c Mon Sep 17 00:00:00 2001 From: Denis Gukov Date: Mon, 21 Oct 2024 15:55:54 +0500 Subject: [PATCH] fix(security): clear env vars --- db_lib/AnsiblePlaybook.go | 2 +- db_lib/LocalApp.go | 32 -------------------------------- db_lib/ShellApp.go | 2 +- db_lib/TerraformApp.go | 2 +- 4 files changed, 3 insertions(+), 35 deletions(-) diff --git a/db_lib/AnsiblePlaybook.go b/db_lib/AnsiblePlaybook.go index d321b6a75..4b85d5c7f 100644 --- a/db_lib/AnsiblePlaybook.go +++ b/db_lib/AnsiblePlaybook.go @@ -22,7 +22,7 @@ func (p AnsiblePlaybook) makeCmd(command string, args []string, environmentVars cmd := exec.Command(command, args...) //nolint: gas cmd.Dir = p.GetFullPath() - cmd.Env = removeSensitiveEnvs(os.Environ()) + cmd.Env = string[]{} cmd.Env = append(cmd.Env, fmt.Sprintf("HOME=%s", util.Config.TmpPath)) cmd.Env = append(cmd.Env, fmt.Sprintf("PWD=%s", cmd.Dir)) diff --git a/db_lib/LocalApp.go b/db_lib/LocalApp.go index 3602b83ac..ff41911bd 100644 --- a/db_lib/LocalApp.go +++ b/db_lib/LocalApp.go @@ -7,38 +7,6 @@ import ( "github.com/ansible-semaphore/semaphore/pkg/task_logger" ) -func isSensitiveVar(v string) bool { - sensitives := []string{ - "SEMAPHORE_ACCESS_KEY_ENCRYPTION", - "SEMAPHORE_ADMIN_PASSWORD", - "SEMAPHORE_DB_USER", - "SEMAPHORE_DB_NAME", - "SEMAPHORE_DB_HOST", - "SEMAPHORE_DB_PASS", - "SEMAPHORE_LDAP_PASSWORD", - "SEMAPHORE_RUNNER_TOKEN", - "SEMAPHORE_RUNNER_ID", - } - - for _, s := range sensitives { - if strings.HasPrefix(v, s+"=") { - return true - } - } - - return false -} - -func removeSensitiveEnvs(envs []string) (res []string) { - - for _, e := range envs { - if !isSensitiveVar(e) { - res = append(res, e) - } - } - - return res -} type LocalApp interface { SetLogger(logger task_logger.Logger) task_logger.Logger diff --git a/db_lib/ShellApp.go b/db_lib/ShellApp.go index e2fdcc123..abd4065a3 100644 --- a/db_lib/ShellApp.go +++ b/db_lib/ShellApp.go @@ -44,7 +44,7 @@ func (t *ShellApp) makeCmd(command string, args []string, environmentVars *[]str cmd := exec.Command(command, args...) //nolint: gas cmd.Dir = t.GetFullPath() - cmd.Env = removeSensitiveEnvs(os.Environ()) + cmd.Env = string[]{} cmd.Env = append(cmd.Env, fmt.Sprintf("HOME=%s", util.Config.TmpPath)) cmd.Env = append(cmd.Env, fmt.Sprintf("PWD=%s", cmd.Dir)) diff --git a/db_lib/TerraformApp.go b/db_lib/TerraformApp.go index dd9996f5d..c8702153b 100644 --- a/db_lib/TerraformApp.go +++ b/db_lib/TerraformApp.go @@ -37,7 +37,7 @@ func (t *TerraformApp) makeCmd(command string, args []string, environmentVars *[ cmd := exec.Command(command, args...) //nolint: gas cmd.Dir = t.GetFullPath() - cmd.Env = removeSensitiveEnvs(os.Environ()) + cmd.Env = string[]{} cmd.Env = append(cmd.Env, fmt.Sprintf("HOME=%s", util.Config.TmpPath)) cmd.Env = append(cmd.Env, fmt.Sprintf("PWD=%s", cmd.Dir))