Skip to content

Commit

Permalink
Manage _UNSECURED_ENV_VARIABLES for linters
Browse files Browse the repository at this point in the history
Fixes #2699
  • Loading branch information
nvuillam committed May 30, 2023
1 parent 429032d commit ca2343f
Show file tree
Hide file tree
Showing 6 changed files with 31 additions and 12 deletions.
15 changes: 12 additions & 3 deletions megalinter/Linter.py
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ def __init__(self, params=None, linter_config=None):
self.is_plugin = False
self.pre_commands = None
self.post_commands = None
self.unsecured_env_variables = []
self.ignore_for_flavor_suggestions = False

self.cli_lint_mode = "file"
Expand Down Expand Up @@ -665,6 +666,12 @@ def load_config_vars(self, params):
self.request_id, self.name + "_POST_COMMANDS"
)

# Get secured variables allow list
if config.exists(self.request_id, self.name + "_UNSECURED_ENV_VARIABLES"):
self.unsecured_env_variables = config.get_list(
self.name + "_UNSECURED_ENV_VARIABLES"
)

# Disable errors for this linter NAME + _DISABLE_ERRORS, then LANGUAGE + _DISABLE_ERRORS
if config.get(self.request_id, self.name + "_DISABLE_ERRORS_IF_LESS_THAN"):
self.disable_errors_if_less_than = int(
Expand Down Expand Up @@ -895,7 +902,7 @@ def execute_lint_command(self, command):
cwd = os.path.abspath(self.workspace)
logging.debug(f"[{self.linter_name}] CWD: {cwd}")
subprocess_env = {
**config.build_env(self.request_id),
**config.build_env(self.request_id, True, self.unsecured_env_variables),
"FORCE_COLOR": "0",
}
if type(command) == str:
Expand Down Expand Up @@ -1025,7 +1032,7 @@ def get_linter_version_output(self):
logging.debug("Linter version command: " + str(command))
cwd = os.getcwd() if command[0] != "npm" else "~/"
subprocess_env = {
**config.build_env(self.request_id),
**config.build_env(self.request_id, True, self.unsecured_env_variables),
"FORCE_COLOR": "0",
}
try:
Expand Down Expand Up @@ -1073,7 +1080,9 @@ def get_linter_help(self):
command[0] = cli_absolute
logging.debug("Linter help command: " + str(command))
subprocess_env = {
**config.build_env(self.request_id),
**config.build_env(
self.request_id, True, self.unsecured_env_variables
),
"FORCE_COLOR": "0",
}
process = subprocess.run(
Expand Down
9 changes: 5 additions & 4 deletions megalinter/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ def delete(request_id=None, key=None):
set_config(request_id, config)


def build_env(request_id, secured=True):
def build_env(request_id, secured=True, allow_list=[]):
secured_env_variables = []
secured_env_variables_regex = []
if secured is True:
Expand All @@ -246,9 +246,10 @@ def build_env(request_id, secured=True):
)
env_dict = {}
for key, value in get_config(request_id).items():
if key in secured_env_variables or match_variable_regexes(
key, secured_env_variables_regex
):
if (
key in secured_env_variables
or match_variable_regexes(key, secured_env_variables_regex)
) and key not in allow_list:
env_dict[key] = "HIDDEN_BY_MEGALINTER"
elif not isinstance(value, str):
env_dict[key] = str(value)
Expand Down
4 changes: 3 additions & 1 deletion megalinter/linters/RakuLinter.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ def before_lint_files(self):
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
shell=True,
env=config.build_env(self.request_id),
env=config.build_env(
self.request_id, True, self.unsecured_env_variables
),
)
return_code = process.returncode
return_stdout = megalinter.utils.decode_utf8(process.stdout)
Expand Down
2 changes: 1 addition & 1 deletion megalinter/linters/TfLintLinter.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,4 +34,4 @@ def before_lint_files(self):
self.pre_commands.append(tflint_pre_command)

def pre_test(self):
config.set_value(self.request_id, "TERRAFORM_TFLINT_SECURED_ENV", "false")
config.set_value(self.request_id, "TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES", "GITHUB_TOKEN")
5 changes: 4 additions & 1 deletion megalinter/pre_post_factory.py
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,11 @@ def run_command(command_info, log_key, mega_linter, linter=None):
if "secured_env" not in command_info:
command_info["secured_env"] = True
command_info = complete_command(command_info)
unsecured_env_variables = []
if linter is not None:
unsecured_env_variables = linter.unsecured_env_variables
subprocess_env = {
**config.build_env(mega_linter.request_id, command_info["secured_env"])
**config.build_env(mega_linter.request_id, command_info["secured_env"], unsecured_env_variables)
}
add_in_logs(
linter,
Expand Down
8 changes: 6 additions & 2 deletions megalinter/tests/test_megalinter/config_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -269,13 +269,14 @@ def test_config_secure_env_vars_custom(self):
"GITLAB_ACCESS_TOKEN_MEGALINTER": "GITLAB_ACCESS_TOKEN_MEGALINTER_VALUE",
"SECRET_VAR": "SECRET_VALUE",
"OX_API_KEY": "1234",
"SECURED_ENV_VARIABLES": "SECRET_VAR,OX_API_KEY,(VAR_.*_REGEX)",
"SECURED_ENV_VARIABLES": "SECRET_VAR,OX_API_KEY,(VAR_.*_REGEX),UNSECURED_VAR",
"workspace": ".",
"LOG_LEVEL": "DEBUG",
"VAR_WITH_REGEX": "aXw32",
'UNSECURED_VAR': 'visible'
},
)
cli_env = config.build_env(request_id)
cli_env = config.build_env(request_id,True,['UNSECURED_VAR'])
self.assertTrue(cli_env["VISIBLE_VAR"] == "VALUE", "VISIBLE_VAR is visible")
self.assertTrue(
cli_env["GITHUB_TOKEN"] == "HIDDEN_BY_MEGALINTER",
Expand All @@ -295,6 +296,9 @@ def test_config_secure_env_vars_custom(self):
cli_env["GITLAB_ACCESS_TOKEN_MEGALINTER"] == "HIDDEN_BY_MEGALINTER",
"GITLAB_ACCESS_TOKEN_MEGALINTER is not visible",
)
self.assertTrue(
cli_env["UNSECURED_VAR"] == "visible", "UNSECURED_VAR is visible"
)
usage_stdout = io.StringIO()
with contextlib.redirect_stdout(usage_stdout):
Megalinter(
Expand Down

0 comments on commit ca2343f

Please sign in to comment.