Fix: Prevent environment variable leakage in subprocess calls#362
Merged
Conversation
Reviewer's GuideIntroduce a whitelisted environment builder for subprocess calls and replace direct deep copies of os.environ with minimal, explicitly controlled environments when invoking the testing-farm CLI, to avoid leaking sensitive NEWA_* and other credentials. Sequence diagram for whitelisted environment in testing-farm subprocess callssequenceDiagram
actor User
participant Request
participant ExecutionModule
participant subprocess
User->>Request: initiate_tf_request(ctx)
Request->>Request: generate_tf_exec_command(ctx)
Request->>Request: set NO_COLOR, NO_TTY in environment
Request->>ExecutionModule: build_clean_environment(additional_vars)
ExecutionModule-->>Request: env (whitelisted)
Request->>subprocess: run(command, env=env)
User->>ExecutionModule: check_tf_cli_version(ctx)
ExecutionModule->>ExecutionModule: build_clean_environment(additional_vars)
ExecutionModule->>subprocess: run(['testing-farm','version'], env=env)
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- Consider extracting the
passthrough_varslist into a module-level constant so it’s easier to audit and update the set of allowed environment variables in one place. - The
NO_COLOR/NO_TTYadditions are repeated in multiple places; you could introduce a small helper (or include them directly inbuild_clean_environment) to avoid duplication and ensure they stay consistent across all subprocess calls.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider extracting the `passthrough_vars` list into a module-level constant so it’s easier to audit and update the set of allowed environment variables in one place.
- The `NO_COLOR`/`NO_TTY` additions are repeated in multiple places; you could introduce a small helper (or include them directly in `build_clean_environment`) to avoid duplication and ensure they stay consistent across all subprocess calls.
## Individual Comments
### Comment 1
<location path="newa/models/execution.py" line_range="61-68" />
<code_context>
+ Returns:
+ Dictionary with whitelisted environment variables
+ """
+ # Whitelist of environment variables to pass through
+ passthrough_vars = [
+ 'TESTING_FARM_API_TOKEN', # Required by testing-farm CLI for authentication
+ 'PATH', # Required to find executables
+ 'HOME', # May be needed by CLI tools for config
+ 'USER', # May be needed by some tools
+ 'LANG', # Locale settings
+ 'LC_ALL', # Locale settings
+ ]
+
</code_context>
<issue_to_address>
**issue (bug_risk):** Whitelisting may unintentionally drop proxy-related env vars needed in proxied environments.
This whitelist also omits common, non-sensitive proxy/SSL vars like `HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY`, and `REQUESTS_CA_BUNDLE`. In proxied environments this can prevent the CLI from reaching external services. Consider explicitly allowing these (or a defined set of networking-related vars) if you need connectivity in such setups.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Replace deep copy of os.environ with whitelisted environment variables to prevent sensitive credentials (like NEWA_* variables) from leaking to subprocess calls. Only explicitly required variables are now passed to testing-farm CLI and other subprocesses. The whitelist now includes proxy and SSL certificate environment variables to ensure proper operation in proxied environments. NO_COLOR and NO_TTY are automatically set by the helper function to avoid duplication across call sites. Added documentation to README.md explaining the security model and listing all environment variables that are passed to subprocesses. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace deep copy of os.environ with whitelisted environment variables to prevent sensitive credentials (like NEWA_* variables) from leaking to subprocess calls. Only explicitly required variables are now passed to testing-farm CLI and other subprocesses.
🤖 Generated with Claude Code
Summary by Sourcery
Restrict environment variables passed to testing-farm subprocesses to a minimal, whitelisted set to avoid leaking sensitive data while preserving required CLI functionality.
Bug Fixes:
Enhancements: