Skip to content

Limit env variables propagated #13922

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jul 30, 2020
Merged

Limit env variables propagated #13922

merged 7 commits into from
Jul 30, 2020

Conversation

blindpirate
Copy link
Collaborator

No description provided.

@blindpirate
Copy link
Collaborator Author

@bot-gradle test QF

@bot-gradle
Copy link
Collaborator

OK, I've already triggered QuickFeedback build for you.

@blindpirate blindpirate force-pushed the blindpirate/limit-env-variables branch from 5abd10c to bf2bd3e Compare July 24, 2020 12:35
@blindpirate
Copy link
Collaborator Author

@bot-gradle test QF

@bot-gradle
Copy link
Collaborator

Sorry some internal error occurs, please contact the administrator @blindpirate

@bot-gradle
Copy link
Collaborator

OK, I've already cancelled the old build and triggered a new QuickFeedback build for you.

wolfs
wolfs reviewed Jul 24, 2020
View reviewed changes
@blindpirate blindpirate force-pushed the blindpirate/limit-env-variables branch from bf2bd3e to 8f44394 Compare July 27, 2020 01:59
@blindpirate
Copy link
Collaborator Author

@bot-gradle test QF

@bot-gradle
Copy link
Collaborator

OK, I've already triggered QuickFeedback build for you.

@blindpirate blindpirate force-pushed the blindpirate/limit-env-variables branch from 8f44394 to 9995e10 Compare July 27, 2020 02:11
@blindpirate
Copy link
Collaborator Author

@bot-gradle test QF

@bot-gradle
Copy link
Collaborator

OK, I've already cancelled the old build and triggered a new QuickFeedback build for you.

@blindpirate blindpirate force-pushed the blindpirate/limit-env-variables branch 6 times, most recently from 7ed8b95 to 7cbcc1a Compare July 27, 2020 07:30
wolfs
wolfs requested changes Jul 27, 2020
View reviewed changes
@blindpirate blindpirate force-pushed the blindpirate/limit-env-variables branch 2 times, most recently from 32cf9d1 to 2e65f1f Compare July 27, 2020 09:55
@blindpirate
Copy link
Collaborator Author

@bot-gradle test RFN

@blindpirate blindpirate marked this pull request as ready for review July 27, 2020 09:58
@bot-gradle
Copy link
Collaborator

OK, I've already triggered ReadyForNightly build for you.

big-guy
big-guy requested changes Jul 27, 2020
View reviewed changes
buildSrc/subprojects/jvm/src/main/kotlin/gradlebuild/propagated-env-variables.kt Outdated

fun Test.configurePropagatedEnvVariables() {
if (BuildEnvironment.isCiServer) {
environment = System.getenv().entries.mapNotNull(::sanitize).toMap()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also have something that looks at the propagated environment variables and does a sanity check for "bad words"?

e.g., things like BUILD_CACHE_PASSWORD and TEAMCITY_TOKEN would make it through our filter, so I think we should make it so the build fails at this point if any env var contains (case insensitive) "password" or "token" so we're forced to pick a different name.

The failures at the test level below are OK, but it's too late at that point.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few candidates to blacklist:

  • apikey
  • secret
  • auth
  • credential

@big-guy big-guy requested a review from donat July 27, 2020 12:54
donat
donat reviewed Jul 27, 2020
View reviewed changes
buildSrc/subprojects/jvm/src/main/kotlin/gradlebuild/propagated-env-variables.kt Outdated


fun Test.configurePropagatedEnvVariables() {
if (BuildEnvironment.isCiServer) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❌ Local builds might also leak credentials. I think we should filter env vars for all builds.

@blindpirate
Copy link
Collaborator Author

@bot-gradle test RFN

@bot-gradle
Copy link
Collaborator

OK, I've already triggered ReadyForNightly build for you.

@blindpirate blindpirate force-pushed the blindpirate/limit-env-variables branch 2 times, most recently from fea444e to 47f2b60 Compare July 28, 2020 14:54
@blindpirate
Copy link
Collaborator Author

@bot-gradle test RFN

@bot-gradle
Copy link
Collaborator

OK, I've already triggered ReadyForNightly build for you.

@blindpirate
Copy link
Collaborator Author

Now finally it passes all check, anyone wanna take an another look?

wolfs
wolfs requested changes Jul 29, 2020
View reviewed changes
@blindpirate
Copy link
Collaborator Author

@bot-gradle test RFN

@bot-gradle
Copy link
Collaborator

OK, I've already triggered ReadyForNightly build for you.

@blindpirate blindpirate force-pushed the blindpirate/limit-env-variables branch from 2a25f70 to 5ada5ad Compare July 29, 2020 07:21
wolfs
wolfs reviewed Jul 29, 2020
View reviewed changes
Copy link
Member

@wolfs wolfs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we shouldn't pass BUILD_ to the test JVM, since I don't need that variable on my machine either. Apart from that the PR looks good now.

wolfs
wolfs approved these changes Jul 29, 2020
View reviewed changes
Copy link
Member

@wolfs wolfs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@wolfs
Copy link
Member

wolfs commented Jul 29, 2020

We fork some more processes from the build of gradle/gradle, for example to run git or to dump stacktraces. Shall we review those as well?

@blindpirate
Copy link
Collaborator Author

@wolfs you mean javaexec like ktlint right?

@wolfs
Copy link
Member

wolfs commented Jul 29, 2020

@wolfs you mean javaexec like ktlint right?

I think exec and javaexec. We should only check what we use there, there is probably no need to do anything. And that is some follow up work.

@wolfs
Copy link
Member

wolfs commented Jul 29, 2020

As another follow up, we should probably convert this new code into a plugin and use it on the other public projects as well. It could be part of the GE conventions plugin.

@blindpirate blindpirate force-pushed the blindpirate/limit-env-variables branch from bdfac88 to 78cfa12 Compare July 29, 2020 12:33
@blindpirate blindpirate merged commit f30b025 into master Jul 30, 2020
@blindpirate blindpirate deleted the blindpirate/limit-env-variables branch July 30, 2020 03:42
donat pushed a commit that referenced this pull request Jul 31, 2020
@blindpirate @donat
Limit env variables propagated (#13922)
99a9147 
Limit environment variables propagated to test JVMs
to avoid leaking credentials
@donat
Copy link
Member

donat commented Jul 31, 2020

Cherry-picked to release.

big-guy added a commit that referenced this pull request Aug 3, 2020
@big-guy
Merge remote-tracking branch 'origin/release'
a76853b 
* origin/release:
  Update to 6.6 RC5
  Fix ktlint in Kotlin DSL
  Only use e.grdev.net for test distribution builds
  Upgrade conventions plugin to 0.7.1
  Fix build logic instrumentation when a static interface method creates an instance of a serializable lambda.
  Limit env variables propagated (#13922)
  Merge pull request #13904 from gradle/blindpirate/remove-cmd-line-args-in-bat
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@donat donat donat left review comments

@big-guy big-guy big-guy requested changes

@wolfs wolfs wolfs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@blindpirate @bot-gradle @wolfs @donat @big-guy