Skip to content

fix(support): sanitize agent env #12554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 12, 2024
Merged

fix(support): sanitize agent env #12554

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3f9970e
fix(support): sanitize agent env
johnstcn Mar 12, 2024
da0fb1e
redact all the things
johnstcn Mar 12, 2024
e13e5b3
Update support/support.go
johnstcn Mar 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
fix(support): sanitize agent env
  • Loading branch information
@johnstcn
johnstcn committed Mar 12, 2024
commit 3f9970e7c633de78efeb31d5a6f4de35b84241ff
3 changes: 3 additions & 0 deletions coderd/database/dbfake/dbfake.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,9 @@ func (b WorkspaceBuildBuilder) WithAgent(mutations ...func([]*sdkproto.Agent) []
Auth: &sdkproto.Agent_Token{
Token: b.agentToken,
},
Env: map[string]string{
"SECRET_TOKEN": "supersecret",
},
}}
for _, m := range mutations {
agents = m(agents)
Expand Down
16 changes: 16 additions & 0 deletions support/support.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,11 @@ func WorkspaceInfo(ctx context.Context, client *codersdk.Client, log slog.Logger
log.Error(ctx, "fetch workspace", slog.Error(err), slog.F("workspace_id", workspaceID))
return w
}
for _, res := range ws.LatestBuild.Resources {
for _, agt := range res.Agents {
sanitizeEnv(agt.EnvironmentVariables)
}
}
w.Workspace = ws

eg.Go(func() error {
Expand Down Expand Up @@ -346,3 +351,14 @@ func Run(ctx context.Context, d *Deps) (*Bundle, error) {

return &b, nil
}

// sanitizeEnv modifies kvs in place and erases the values of keys containing
// the strings "secret", "token", or "pass"
func sanitizeEnv(kvs map[string]string) {
for k := range kvs {
kl := strings.ToLower(k)
if strings.Contains(kl, "secret") || strings.Contains(kl, "token") || strings.Contains(kl, "pass") {
kvs[k] = ""
}
}
}
17 changes: 17 additions & 0 deletions support/support_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"context"
"io"
"net/http"
"strings"
"testing"
"time"

Expand Down Expand Up @@ -57,6 +58,7 @@ func TestRun(t *testing.T) {
require.NotEmpty(t, bun.Network.TailnetDebug)
require.NotNil(t, bun.Network.NetcheckLocal)
require.NotNil(t, bun.Workspace.Workspace)
assertSanitizedWorkspace(t, bun.Workspace.Workspace)
require.NotEmpty(t, bun.Workspace.BuildLogs)
require.NotNil(t, bun.Workspace.Agent)
require.NotEmpty(t, bun.Workspace.AgentStartupLogs)
Expand Down Expand Up @@ -92,6 +94,7 @@ func TestRun(t *testing.T) {
require.NotEmpty(t, bun.Network.CoordinatorDebug)
require.NotEmpty(t, bun.Network.TailnetDebug)
require.NotNil(t, bun.Workspace)
assertSanitizedWorkspace(t, bun.Workspace.Workspace)
require.NotEmpty(t, bun.Logs)
})

Expand Down Expand Up @@ -140,6 +143,20 @@ func assertSanitizedDeploymentConfig(t *testing.T, dc *codersdk.DeploymentConfig
}
}

func assertSanitizedWorkspace(t *testing.T, ws codersdk.Workspace) {
t.Helper()
for _, res := range ws.LatestBuild.Resources {
for _, agt := range res.Agents {
for k, v := range agt.EnvironmentVariables {
kl := strings.ToLower(k)
if strings.Contains(kl, "secret") || strings.Contains(kl, "token") || strings.Contains(kl, "pass") {
assert.Empty(t, v, "environment variable %q not sanitized", k)
}
}
}
}
}

func setupWorkspaceAndAgent(ctx context.Context, t *testing.T, client *codersdk.Client, db database.Store, user codersdk.CreateFirstUserResponse) (codersdk.Workspace, codersdk.WorkspaceAgent) {
// This is a valid zip file
zipBytes := make([]byte, 22)
Expand Down