Skip to content

Commit 001450d

Browse files
johnstcnjohnstcn
committed
fix(support): sanitize agent env
1 parent f308322 commit 001450d

File tree

3 files changed

+36
-0
lines changed

3 files changed

+36
-0
lines changed

coderd/database/dbfake/dbfake.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,9 @@ func (b WorkspaceBuildBuilder) WithAgent(mutations ...func([]*sdkproto.Agent) []
9595
Auth: &sdkproto.Agent_Token{
9696
Token: b.agentToken,
9797
},
98+
Env: map[string]string{
99+
"SECRET_TOKEN": "supersecret",
100+
},
98101
}}
99102
for _, m := range mutations {
100103
agents = m(agents)

support/support.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -191,6 +191,11 @@ func WorkspaceInfo(ctx context.Context, client *codersdk.Client, log slog.Logger
191191
log.Error(ctx, "fetch workspace", slog.Error(err), slog.F("workspace_id", workspaceID))
192192
return w
193193
}
194+
for _, res := range ws.LatestBuild.Resources {
195+
for _, agt := range res.Agents {
196+
sanitizeEnv(agt.EnvironmentVariables)
197+
}
198+
}
194199
w.Workspace = ws
195200

196201
eg.Go(func() error {
@@ -346,3 +351,14 @@ func Run(ctx context.Context, d *Deps) (*Bundle, error) {
346351

347352
return &b, nil
348353
}
354+
355+
// sanitizeEnv modifies kvs in place and erases the values of keys containing
356+
// the strings "secret", "token", or "pass"
357+
func sanitizeEnv(kvs map[string]string) {
358+
for k := range kvs {
359+
kl := strings.ToLower(k)
360+
if strings.Contains(kl, "secret") || strings.Contains(kl, "token") || strings.Contains(kl, "pass") {
361+
kvs[k] = ""
362+
}
363+
}
364+
}

support/support_test.go

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55
"context"
66
"io"
77
"net/http"
8+
"strings"
89
"testing"
910
"time"
1011

@@ -57,6 +58,7 @@ func TestRun(t *testing.T) {
5758
require.NotEmpty(t, bun.Network.TailnetDebug)
5859
require.NotNil(t, bun.Network.NetcheckLocal)
5960
require.NotNil(t, bun.Workspace.Workspace)
61+
assertSanitizedWorkspace(t, bun.Workspace.Workspace)
6062
require.NotEmpty(t, bun.Workspace.BuildLogs)
6163
require.NotNil(t, bun.Workspace.Agent)
6264
require.NotEmpty(t, bun.Workspace.AgentStartupLogs)
@@ -92,6 +94,7 @@ func TestRun(t *testing.T) {
9294
require.NotEmpty(t, bun.Network.CoordinatorDebug)
9395
require.NotEmpty(t, bun.Network.TailnetDebug)
9496
require.NotNil(t, bun.Workspace)
97+
assertSanitizedWorkspace(t, bun.Workspace.Workspace)
9598
require.NotEmpty(t, bun.Logs)
9699
})
97100

@@ -140,6 +143,20 @@ func assertSanitizedDeploymentConfig(t *testing.T, dc *codersdk.DeploymentConfig
140143
}
141144
}
142145

146+
func assertSanitizedWorkspace(t *testing.T, ws codersdk.Workspace) {
147+
t.Helper()
148+
for _, res := range ws.LatestBuild.Resources {
149+
for _, agt := range res.Agents {
150+
for k, v := range agt.EnvironmentVariables {
151+
kl := strings.ToLower(k)
152+
if strings.Contains(kl, "secret") || strings.Contains(kl, "token") || strings.Contains(kl, "pass") {
153+
assert.Empty(t, v, "environment variable %q not sanitized", k)
154+
}
155+
}
156+
}
157+
}
158+
}
159+
143160
func setupWorkspaceAndAgent(ctx context.Context, t *testing.T, client *codersdk.Client, db database.Store, user codersdk.CreateFirstUserResponse) (codersdk.Workspace, codersdk.WorkspaceAgent) {
144161
// This is a valid zip file
145162
zipBytes := make([]byte, 22)

0 commit comments

Comments
 (0)