add FileSystem provider

.github/workflows/ci.yml

@@ -16,8 +16,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - otp: "22.x"
-            elixir: "1.11.x"
           - otp: "23.x"
             elixir: "1.12.x"
           - otp: "24.x"

README.md

@@ -15,23 +15,23 @@ Hush can be used to inject configuration that is not known at compile time, such
 
 ```elixir
 # config/prod.exs
-alias Hush.Provider.{AwsSecretsManager, GcpSecretManager, SystemEnvironment}
+alias Hush.Provider.{AwsSecretsManager, FileSystem, GcpSecretManager, SystemEnvironment}
 
-config :app, Web.Endpoint,
-  http: [port: {:hush, SystemEnvironment, "PORT", [cast: :integer]}]
+config :hush, FileSystem, search_paths: ["/secrets"]
 
 config :app, App,
-  cdn_url: {:hush, GcpSecretManager, "CDN_DOMAIN", [apply: &{:ok, "https://" <> &1}]}
-
-config :app, App.RedshiftRepo,
-  password: {:hush, AwsSecretsManager, "REDSHIFT_PASSWORD"}
+  pool_size: {:hush, SystemEnvironment, "POOL_SIZE", cast: :integer},
+  ssl_certificate: {:hush, FileSystem, "cert.pem"},
+  url: {:hush, GcpSecretManager, "APP_URL", [apply: &{:ok, "https://" <> &1}]},
+  password: {:hush, AwsSecretsManager, "PASSWORD"}
 ```
 
-Hush resolves configuration from using providers, it ships with a `SystemEnvironment` provider which reads environmental variables, but multiple providers exist. You can also [write your own easily](#writing-your-own-provider).
+Hush resolves configuration from using providers. It ships with `SystemEnvironment` and `FileSystem` providers, but multiple providers exist. You can also [write your own easily](#writing-your-own-provider).
 
 | Provider            | Description                                                                               | Link                                                            |
 | ------------------- | ----------------------------------------------------------------------------------------- | --------------------------------------------------------------- |
 | `SystemEnvironment` | Reads environmental variables.                                                            |                                                                 |
+| `FileSystem`        | Reads contents of file.                                                                   |                                                                 |
 | `AwsSecretsManager` | Load secrets from [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/).         | [GitHub](https://github.com/gordalina/hush_aws_secrets_manager) |
 | `GcpSecretManager`  | Load secrets from [Google Cloud Secret Manager](https://cloud.google.com/secret-manager). | [GitHub](https://github.com/gordalina/hush_gcp_secret_manager)  |
 
@@ -49,7 +49,7 @@ end
 
 Run `mix deps.get` to install it.
 
-Some providers may need to initialize applications or even start processes to function correctly. The providers will be explicit about whether they need to be loaded at startup or not. `GcpSecretsManager` unlike `SystemEnvironment` is one such example. To load the provider you need to configure it like so. **Note:** `SystemEnvironment` does not need to be loaded at startup.
+Some providers may need to initialize applications or even start processes to function correctly. The providers will be explicit about whether they need to be loaded at startup or not. `GcpSecretsManager` unlike `SystemEnvironment` is one such example. To load the provider you need to configure it like so. **Note:** `SystemEnvironment` and `FileSystem` do not need to be loaded at startup.
 
 ```elixir
 # config/config.exs
@@ -375,6 +375,7 @@ end
 
 | Hush | Erlang/OTP | Elixir |
 | - | - | - |
+| `>= 1.2.0` | `>= 23.0.0` | `>= 1.12.0` |
 | `>= 1.0.0` | `>= 21.0.0` | `>= 1.10.0` |
 | `<= 0.5.0` | `>= 20.0.0` | `>= 1.9.0` |
 

lib/hush/provider/file_system.ex

@@ -0,0 +1,48 @@
+defmodule Hush.Provider.FileSystem do
+  @moduledoc """
+  Provider to read secrets from file system
+  """
+
+  @behaviour Hush.Provider
+
+  @impl true
+  @spec load(config :: Keyword.t()) :: :ok | {:error, any()}
+  def load(_config), do: :ok
+
+  @impl true
+  @spec fetch(key :: String.t()) :: {:ok, String.t()} | {:error, :not_found}
+  def fetch(key) do
+    Enum.find_value(search_paths(), &read_file(&1, key))
+  end
+
+  # sobelow_skip ["Traversal.FileModule"]
+  defp read_file(path, key) do
+    with {:ok, safe_key} <- safe_relative(key, path),
+         {:ok, value} <- File.read(Path.join(path, safe_key)) do
+      {:ok, value}
+    else
+      :error -> {:error, "Path traversal detected: tried to read #{path}/#{key}"}
+      _ -> {:error, :not_found}
+    end
+  end
+
+  defp safe_relative(path, relative_to) do
+    cond do
+      Version.match?(System.version(), ">= 1.16.0") ->
+        apply(Path, :safe_relative, [path, relative_to])
+
+      Version.match?(System.version(), ">= 1.14.0") ->
+        apply(Path, :safe_relative_to, [path, relative_to])
+
+      true ->
+        case :filelib.safe_relative_path(IO.chardata_to_string(path), relative_to) do
+          :unsafe -> :error
+          relative_path -> {:ok, IO.chardata_to_string(relative_path)}
+        end
+    end
+  end
+
+  defp search_paths() do
+    Application.fetch_env!(:hush, __MODULE__) |> Keyword.get(:search_paths, [])
+  end
+end

mix.exs

@@ -8,7 +8,7 @@ defmodule Hush.MixProject do
     [
       app: :hush,
       version: @version,
-      elixir: "~> 1.11",
+      elixir: "~> 1.12",
       deps: deps(),
       docs: docs(),
       description: description(),

test/hush/provider/file_system_test.exs

@@ -0,0 +1,34 @@
+defmodule Hush.Provider.FileSystemTest do
+  use ExUnit.Case
+  doctest Hush.Provider.FileSystem
+  alias Hush.Provider.FileSystem
+
+  describe "load/1" do
+    test "ok" do
+      assert FileSystem.load(nil) == :ok
+    end
+  end
+
+  describe "fetch/1" do
+    test "without file" do
+      Application.put_env(:hush, FileSystem, search_paths: ["/tmp"])
+      assert FileSystem.fetch("HUSH_UNKNOWN") == {:error, :not_found}
+    end
+
+    test "path traversal" do
+      Application.put_env(:hush, FileSystem, search_paths: ["/tmp"])
+
+      assert FileSystem.fetch("../etc/passwd") ==
+               {:error, "Path traversal detected: tried to read /tmp/../etc/passwd"}
+    end
+
+    test "with file" do
+      rand = :rand.uniform(10_000_000_000)
+
+      Application.put_env(:hush, FileSystem, search_paths: ["/tmp"])
+      assert File.write("/tmp/HUSH_#{rand}", "foo") == :ok
+      assert FileSystem.fetch("HUSH_#{rand}") == {:ok, "foo"}
+      assert File.rm("/tmp/HUSH_#{rand}") == :ok
+    end
+  end
+end