fix: improve filtering of reserved env vars

2026-01-10 07:58:15 -05:00 · 2023-02-24 21:57:48 +01:00
parent 978423ba5b
commit 1ff42991b3
2 changed files with 81 additions and 7 deletions
--- a/cli/packages/cmd/cmd_test.go
+++ b/cli/packages/cmd/cmd_test.go
@@ -0,0 +1,49 @@
+package cmd
+
+import (
+	"testing"
+
+	"github.com/Infisical/infisical-merge/packages/models"
+)
+
+func TestEnvFilter(t *testing.T) {
+
+	// some test env vars.
+	// HOME and PATH are reserved key words and should be filtered out
+	// XDG_SESSION_ID and LC_CTYPE are reserved key word prefixes and should be filtered out
+	// The filter function only checks the keys of the env map, so we dont need to set any values
+	env := map[string]models.SingleEnvironmentVariable{
+		"test":           {},
+		"test2":          {},
+		"HOME":           {},
+		"PATH":           {},
+		"XDG_SESSION_ID": {},
+		"LC_CTYPE":       {},
+	}
+
+	// check to see if there are any reserved key words in secrets to inject
+	filterEnvVars(env)
+
+	if len(env) != 2 {
+		t.Errorf("Expected 2 secrets to be returned, got %d", len(env))
+	}
+	if _, ok := env["test"]; !ok {
+		t.Errorf("Expected test to be returned")
+	}
+	if _, ok := env["test2"]; !ok {
+		t.Errorf("Expected test2 to be returned")
+	}
+	if _, ok := env["HOME"]; ok {
+		t.Errorf("Expected HOME to be filtered out")
+	}
+	if _, ok := env["PATH"]; ok {
+		t.Errorf("Expected PATH to be filtered out")
+	}
+	if _, ok := env["XDG_SESSION_ID"]; ok {
+		t.Errorf("Expected XDG_SESSION_ID to be filtered out")
+	}
+	if _, ok := env["LC_CTYPE"]; ok {
+		t.Errorf("Expected LC_CTYPE to be filtered out")
+	}
+
+}
--- a/cli/packages/cmd/run.go
+++ b/cli/packages/cmd/run.go
@@ -110,13 +110,7 @@ var runCmd = &cobra.Command{
 		}

 		// check to see if there are any reserved key words in secrets to inject
-		reservedEnvironmentVariables := []string{"HOME", "PATH", "PS1", "PS2"}
-		for _, reservedEnvName := range reservedEnvironmentVariables {
-			if _, ok := secretsByKey[reservedEnvName]; ok {
-				delete(secretsByKey, reservedEnvName)
-				util.PrintWarning(fmt.Sprintf("Infisical secret named [%v] has been removed because it is a reserved secret name", reservedEnvName))
-			}
-		}
+		filterEnvVars(secretsByKey)

 		// now add infisical secrets
 		for k, v := range secretsByKey {
@@ -149,6 +143,37 @@ var runCmd = &cobra.Command{
 	},
 }

+var (
+	reservedEnvVars = []string{
+		"HOME", "PATH", "PS1", "PS2",
+		"PWD", "EDITOR", "XAUTHORITY", "USER",
+		"TERM", "TERMINFO", "SHELL", "MAIL",
+	}
+
+	reservedEnvVarPrefixes = []string{
+		"XDG_",
+		"LC_",
+	}
+)
+
+func filterEnvVars(env map[string]models.SingleEnvironmentVariable) {
+	for _, reservedEnvName := range reservedEnvVars {
+		if _, ok := env[reservedEnvName]; ok {
+			delete(env, reservedEnvName)
+			util.PrintWarning(fmt.Sprintf("Infisical secret named [%v] has been removed because it is a reserved secret name", reservedEnvName))
+		}
+	}
+
+	for _, reservedEnvPrefix := range reservedEnvVarPrefixes {
+		for envName := range env {
+			if strings.HasPrefix(envName, reservedEnvPrefix) {
+				delete(env, envName)
+				util.PrintWarning(fmt.Sprintf("Infisical secret named [%v] has been removed because it contains a reserved prefix", envName))
+			}
+		}
+	}
+}
+
 func init() {
 	rootCmd.AddCommand(runCmd)
 	runCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")