Skip to content

Commit 47cb584

Browse files
johnstcnjohnstcn
authored
fix(support): sanitize agent env (coder#12554)
1 parent 597694f commit 47cb584

File tree

3 files changed

+31
-0
lines changed

3 files changed

+31
-0
lines changed

coderd/database/dbfake/dbfake.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,9 @@ func (b WorkspaceBuildBuilder) WithAgent(mutations ...func([]*sdkproto.Agent) []
9595
Auth: &sdkproto.Agent_Token{
9696
Token: b.agentToken,
9797
},
98+
Env: map[string]string{
99+
"SECRET_TOKEN": "supersecret",
100+
},
98101
}}
99102
for _, m := range mutations {
100103
agents = m(agents)

support/support.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -191,6 +191,11 @@ func WorkspaceInfo(ctx context.Context, client *codersdk.Client, log slog.Logger
191191
log.Error(ctx, "fetch workspace", slog.Error(err), slog.F("workspace_id", workspaceID))
192192
return w
193193
}
194+
for _, res := range ws.LatestBuild.Resources {
195+
for _, agt := range res.Agents {
196+
sanitizeEnv(agt.EnvironmentVariables)
197+
}
198+
}
194199
w.Workspace = ws
195200

196201
eg.Go(func() error {
@@ -346,3 +351,13 @@ func Run(ctx context.Context, d *Deps) (*Bundle, error) {
346351

347352
return &b, nil
348353
}
354+
355+
// sanitizeEnv modifies kvs in place and replaces the values all non-empty keys
356+
// with the string ***REDACTED***
357+
func sanitizeEnv(kvs map[string]string) {
358+
for k, v := range kvs {
359+
if v != "" {
360+
kvs[k] = "***REDACTED***"
361+
}
362+
}
363+
}

support/support_test.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,7 @@ func TestRun(t *testing.T) {
5757
require.NotEmpty(t, bun.Network.TailnetDebug)
5858
require.NotNil(t, bun.Network.NetcheckLocal)
5959
require.NotNil(t, bun.Workspace.Workspace)
60+
assertSanitizedWorkspace(t, bun.Workspace.Workspace)
6061
require.NotEmpty(t, bun.Workspace.BuildLogs)
6162
require.NotNil(t, bun.Workspace.Agent)
6263
require.NotEmpty(t, bun.Workspace.AgentStartupLogs)
@@ -92,6 +93,7 @@ func TestRun(t *testing.T) {
9293
require.NotEmpty(t, bun.Network.CoordinatorDebug)
9394
require.NotEmpty(t, bun.Network.TailnetDebug)
9495
require.NotNil(t, bun.Workspace)
96+
assertSanitizedWorkspace(t, bun.Workspace.Workspace)
9597
require.NotEmpty(t, bun.Logs)
9698
})
9799

@@ -140,6 +142,17 @@ func assertSanitizedDeploymentConfig(t *testing.T, dc *codersdk.DeploymentConfig
140142
}
141143
}
142144

145+
func assertSanitizedWorkspace(t *testing.T, ws codersdk.Workspace) {
146+
t.Helper()
147+
for _, res := range ws.LatestBuild.Resources {
148+
for _, agt := range res.Agents {
149+
for k, v := range agt.EnvironmentVariables {
150+
assert.Equal(t, "***REDACTED***", v, "environment variable %q not sanitized", k)
151+
}
152+
}
153+
}
154+
}
155+
143156
func setupWorkspaceAndAgent(ctx context.Context, t *testing.T, client *codersdk.Client, db database.Store, user codersdk.CreateFirstUserResponse) (codersdk.Workspace, codersdk.WorkspaceAgent) {
144157
// This is a valid zip file
145158
zipBytes := make([]byte, 22)

0 commit comments

Comments
 (0)