fix(support): sanitize manifest (#12711)

johnstcn · web-flow · commit 28730ca3d8ac · 2024-03-21T19:55:34.000Z
diff --git a/cli/support_test.go b/cli/support_test.go
@@ -2,6 +2,7 @@ package cli_test
 
 import (
 	"archive/zip"
+	"bytes"
 	"encoding/json"
 	"io"
 	"os"
@@ -12,6 +13,7 @@ import (
 
 	"tailscale.com/ipn/ipnstate"
 
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/agent"
@@ -23,6 +25,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
+	"github.com/coder/coder/v2/provisionersdk/proto"
 	"github.com/coder/coder/v2/tailnet"
 	"github.com/coder/coder/v2/testutil"
 )
@@ -38,10 +41,15 @@ func TestSupportBundle(t *testing.T) {
 		ctx := testutil.Context(t, testutil.WaitShort)
 		client, db := coderdtest.NewWithDatabase(t, nil)
 		owner := coderdtest.CreateFirstUser(t, client)
+		randSecretValue := uuid.NewString()
 		r := dbfake.WorkspaceBuild(t, db, database.Workspace{
 			OrganizationID: owner.OrganizationID,
 			OwnerID:        owner.UserID,
-		}).WithAgent().Do()
+		}).WithAgent(func(agents []*proto.Agent) []*proto.Agent {
+			// This should not show up in the bundle output
+			agents[0].Env["SECRET_VALUE"] = randSecretValue
+			return agents
+		}).Do()
 		ws, err := client.Workspace(ctx, r.Workspace.ID)
 		require.NoError(t, err)
 		tempDir := t.TempDir()
@@ -81,7 +89,7 @@ func TestSupportBundle(t *testing.T) {
 		clitest.SetupConfig(t, client, root)
 		err = inv.Run()
 		require.NoError(t, err)
-		assertBundleContents(t, path)
+		assertBundleContents(t, path, randSecretValue)
 	})
 
 	t.Run("NoWorkspace", func(t *testing.T) {
@@ -126,12 +134,13 @@ func TestSupportBundle(t *testing.T) {
 	})
 }
 
-func assertBundleContents(t *testing.T, path string) {
+func assertBundleContents(t *testing.T, path string, badValues ...string) {
 	t.Helper()
 	r, err := zip.OpenReader(path)
 	require.NoError(t, err, "open zip file")
 	defer r.Close()
 	for _, f := range r.File {
+		assertDoesNotContain(t, f, badValues...)
 		switch f.Name {
 		case "deployment/buildinfo.json":
 			var v codersdk.BuildInfoResponse
@@ -244,3 +253,13 @@ func readBytesFromZip(t *testing.T, f *zip.File) []byte {
 	require.NoError(t, err, "read bytes from zip")
 	return bs
 }
+
+func assertDoesNotContain(t *testing.T, f *zip.File, vals ...string) {
+	t.Helper()
+	bs := readBytesFromZip(t, f)
+	for _, val := range vals {
+		if bytes.Contains(bs, []byte(val)) {
+			t.Fatalf("file %q should not contain value %q", f.Name, val)
+		}
+	}
+}
diff --git a/coderd/database/dbfake/dbfake.go b/coderd/database/dbfake/dbfake.go
@@ -95,9 +95,7 @@ func (b WorkspaceBuildBuilder) WithAgent(mutations ...func([]*sdkproto.Agent) []
 		Auth: &sdkproto.Agent_Token{
 			Token: b.agentToken,
 		},
-		Env: map[string]string{
-			"SECRET_TOKEN": "supersecret",
-		},
+		Env: map[string]string{},
 	}}
 	for _, m := range mutations {
 		agents = m(agents)
diff --git a/support/support.go b/support/support.go
@@ -407,6 +407,7 @@ func connectedAgentInfo(ctx context.Context, client *codersdk.Client, log slog.L
 		if err := json.NewDecoder(bytes.NewReader(manifestRes)).Decode(&a.Manifest); err != nil {
 			return xerrors.Errorf("decode agent manifest: %w", err)
 		}
+		sanitizeEnv(a.Manifest.EnvironmentVariables)
 
 		return nil
 	})
diff --git a/support/support_test.go b/support/support_test.go
@@ -73,9 +73,11 @@ func TestRun(t *testing.T) {
 		assertNotNilNotEmpty(t, bun.Workspace.TemplateFileBase64, "workspace template file should be present")
 		require.NotNil(t, bun.Workspace.Parameters, "workspace parameters should be present")
 		assertNotNilNotEmpty(t, bun.Agent.Agent, "agent should be present")
-		assertSanitizedAgent(t, *bun.Agent.Agent)
+		assertSanitizedEnv(t, bun.Agent.Agent.EnvironmentVariables)
 		assertNotNilNotEmpty(t, bun.Agent.ListeningPorts, "agent listening ports should be present")
 		assertNotNilNotEmpty(t, bun.Agent.Logs, "agent logs should be present")
+		assertNotNilNotEmpty(t, bun.Agent.Manifest, "agent manifest should be present")
+		assertSanitizedEnv(t, bun.Agent.Manifest.EnvironmentVariables)
 		assertNotNilNotEmpty(t, bun.Agent.AgentMagicsockHTML, "agent magicsock should be present")
 		assertNotNilNotEmpty(t, bun.Agent.ClientMagicsockHTML, "client magicsock should be present")
 		assertNotNilNotEmpty(t, bun.Agent.PeerDiagnostics, "agent peer diagnostics should be present")
@@ -164,15 +166,15 @@ func assertSanitizedWorkspace(t *testing.T, ws codersdk.Workspace) {
 	t.Helper()
 	for _, res := range ws.LatestBuild.Resources {
 		for _, agt := range res.Agents {
-			assertSanitizedAgent(t, agt)
+			assertSanitizedEnv(t, agt.EnvironmentVariables)
 		}
 	}
 }
 
-func assertSanitizedAgent(t *testing.T, agt codersdk.WorkspaceAgent) {
+func assertSanitizedEnv(t *testing.T, env map[string]string) {
 	t.Helper()
-	for k, v := range agt.EnvironmentVariables {
-		assert.Equal(t, "***REDACTED***", v, "agent %q environment variable %q not sanitized", agt.Name, k)
+	for k, v := range env {
+		assert.Equal(t, "***REDACTED***", v, "environment variable %q not sanitized", k)
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -407,6 +407,7 @@ func connectedAgentInfo(ctx context.Context, client *codersdk.Client, log slog.L`
`407`	`407`	`if err := json.NewDecoder(bytes.NewReader(manifestRes)).Decode(&a.Manifest); err != nil {`
`408`	`408`	`return xerrors.Errorf("decode agent manifest: %w", err)`
`409`	`409`	`}`
	`410`	`+ sanitizeEnv(a.Manifest.EnvironmentVariables)`
`410`	`411`
`411`	`412`	`return nil`
`412`	`413`	`})`