From 089a10afd658752763bd143753751f6770886c97 Mon Sep 17 00:00:00 2001 From: Denis Gukov Date: Mon, 21 Oct 2024 10:43:09 +0000 Subject: [PATCH] fix(security): removing sensative env vars --- .vscode/launch.json | 3 ++- db_lib/LocalApp.go | 19 ++++++++++++++----- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.vscode/launch.json b/.vscode/launch.json index 297f4e30f..4440b412c 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -10,7 +10,8 @@ "args": ["server", "--config", "${workspaceFolder}/.devcontainer/config.json"], "cwd": "${workspaceFolder}", "env": { - "PATH": "${workspaceFolder}/.venv/bin:${env:PATH}" + "PATH": "${workspaceFolder}/.venv/bin:${env:PATH}", + "SEMAPHORE_ADMIN_PASSWORD": "test123" } }, { diff --git a/db_lib/LocalApp.go b/db_lib/LocalApp.go index 42996985d..3602b83ac 100644 --- a/db_lib/LocalApp.go +++ b/db_lib/LocalApp.go @@ -7,7 +7,7 @@ import ( "github.com/ansible-semaphore/semaphore/pkg/task_logger" ) -func removeSensitiveEnvs(envs []string) (res []string) { +func isSensitiveVar(v string) bool { sensitives := []string{ "SEMAPHORE_ACCESS_KEY_ENCRYPTION", "SEMAPHORE_ADMIN_PASSWORD", @@ -20,11 +20,20 @@ func removeSensitiveEnvs(envs []string) (res []string) { "SEMAPHORE_RUNNER_ID", } + for _, s := range sensitives { + if strings.HasPrefix(v, s+"=") { + return true + } + } + + return false +} + +func removeSensitiveEnvs(envs []string) (res []string) { + for _, e := range envs { - for _, s := range sensitives { - if !strings.HasPrefix(e, s+"=") { - res = append(res, e) - } + if !isSensitiveVar(e) { + res = append(res, e) } }