Merge pull request #40 from brycenichols/filter_var_names

Do not allow anything except ^[_A-Za-z][A-Za-z0-9_]*$ for environment…

Author: lewg

.github/workflows/tag.yml

@@ -31,6 +31,14 @@ jobs:
         with:
           go-version: 1.21
         id: go
+      - name: Set up Python 3.13
+        uses: actions/setup-python@v3
+        with:
+          python-version: "3.13"
+      - name: Install cram
+        run: |
+          python -m pip install --upgrade pip
+          pip install cram
       - name: Check out new tag into the Go module directory
         uses: actions/checkout@v2
         with:

Makefile

@@ -5,7 +5,7 @@ PROJECT_NAME := buildenv
 
 all: clean build-deps build
 
-test:
+test: build-local
 	go test ./...
 	cram cram_tests
 
@@ -17,7 +17,7 @@ build: test
 	for pkg in $$(ls pkg/); do cp CONTRIBUTING.md CONTRIBUTORS.md LICENSE NOTICE pkg/$${pkg}; done
 	for pkg in $$(ls pkg/); do cd pkg/$${pkg}; tar cvzf "../../$(PROJECT_NAME)-$${pkg}-$(VERSION).tar.gz" *; cd ../..; done
 
-build-local: test
+build-local:
 	CGO_ENABLED=0 go build -ldflags "-X main.version=$(VERSION)" -o $(PROJECT_NAME)
 
 clean:

cram_tests/inject.t

@@ -0,0 +1,14 @@
+Setup
+
+  $ . "$TESTDIR"/setup.sh
+
+Try injecting quote
+
+  $ echo '{"vars":{"Q": "\"; echo bad \""}}' > test.yml
+  $ be -f test.yml
+  export Q="\"; echo bad \""
+
+Bad keys
+
+  $ echo '{"vars":{"export hi=there; dosomethingevil && ": "hi"}}' > test2.yml
+  $ be -f test2.yml

cram_tests/regress.t

@@ -0,0 +1,10 @@
+Setup
+
+  $ . "$TESTDIR"/setup.sh
+
+Regular run
+
+  $ buildenv -cf "$TESTDIR"/../no_secrets.yml
+  # Global Variables
+  export TEST="no secrets"
+

cram_tests/setup.sh

@@ -1,3 +1,2 @@
 #!/usr/bin/env bash
-alias be="${TESTDIR}/../Buildenv-Tool -f ${TESTDIR}/../no_secrets.yml"
-
+alias be="${TESTDIR}/../buildenv -f ${TESTDIR}/../no_secrets.yml"

reader/reader.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
+	"regexp"
 	"slices"
 	"strings"
 
@@ -43,6 +44,8 @@ func (e EnvVars) GetOutput() OutputList {
 
 type Secrets map[string]string
 
+var shellvar_regexp = regexp.MustCompile("^[_A-Za-z][A-Za-z0-9_]*$")
+
 func (s Secrets) GetOutput(ctx context.Context, r *Reader) (OutputList, error) {
 	// Read it like a kv secrets where all keys are "value"
 	kvSecrets := KVSecrets{}
@@ -245,8 +248,10 @@ func (o OutputList) Exec(shell_cmd string) int {
 	}
 
 	for _, out := range o {
-		s := fmt.Sprintf("%s=%s", out.Key, out.Value)
-		cmd.Env = append(cmd.Environ(), s)
+		if shellvar_regexp.MatchString(out.Key) {
+			s := fmt.Sprintf("%s=%s", out.Key, out.Value)
+			cmd.Env = append(cmd.Environ(), s)
+		}
 	}
 
 	cmd.Stdin = os.Stdin
@@ -265,19 +270,19 @@ func (o OutputList) Exec(shell_cmd string) int {
 
 func (o OutputList) Print(showComments bool) {
 	for _, out := range o {
-		keySpace := ""
-		nl := false
-		if out.Key != "" {
-			fmt.Printf("export %s=%q", out.Key, out.Value)
-			keySpace = " "
-			nl = true
-		}
-		if out.Comment != "" && showComments {
-			fmt.Printf("%s# %s", keySpace, out.Comment)
-			nl = true
-		}
-		if nl {
-			fmt.Println()
+		if out.Key == "" {
+			if showComments && out.Comment != "" {
+				fmt.Printf("# %s\n", out.Comment)
+			}
+		} else {
+			/* silently discards variable names that are not shell safe */
+			if shellvar_regexp.MatchString(out.Key) {
+				fmt.Printf("export %s=%q", out.Key, out.Value)
+				if out.Comment != "" && showComments {
+					fmt.Printf(" # %s", out.Comment)
+				}
+				fmt.Println()
+			}
 		}
 	}
 }