Skip to content

Commit 214bb7b

Browse files
DrJosh9000DrJosh9000
committed
internal: Add comments about env files
1 parent 0e059a8 commit 214bb7b

1 file changed

Lines changed: 18 additions & 1 deletion

File tree

agent/job_runner.go

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -491,6 +491,15 @@ BUILDKITE_AGENT_JWKS_KEY_ID`
491491
}
492492

493493
for key, value := range env {
494+
// Note that the value below is %q-quoted, and not shell-escaped.
495+
// Env files are designed to be validated by the pre-bootstrap hook.
496+
// Because the job env may contain untrusted or even dangerous env
497+
// vars (suppose a user adds an env var in the "New Build" UI with a
498+
// value that exploits a command injection in Bash), the
499+
// pre-bootstrap hook should do this validation *without* sourcing
500+
// the file. (If the job env was universally safe, then we wouldn't
501+
// bother using a file - we'd load it straight into the subprocess
502+
// env.)
494503
if _, err := fmt.Fprintf(r.envShellFile, "%s=%q\n", key, value); err != nil {
495504
return nil, err
496505
}
@@ -500,6 +509,8 @@ BUILDKITE_AGENT_JWKS_KEY_ID`
500509
}
501510
}
502511
if r.envJSONFile != nil {
512+
// key="value" format can be difficult to parse in some circumstances,
513+
// so we also have a JSON formatted env file.
503514
if err := json.NewEncoder(r.envJSONFile).Encode(env); err != nil {
504515
return nil, err
505516
}
@@ -775,7 +786,13 @@ func (r *JobRunner) executePreBootstrapHook(ctx context.Context, hook string) (b
775786

776787
// This (plus inherited) is the only ENV that should be exposed
777788
// to the pre-bootstrap hook.
778-
// - Env files are designed to be validated by the pre-bootstrap hook
789+
// - Env files are designed to be validated by the pre-bootstrap hook.
790+
// Because the job env may contain untrusted or even dangerous env vars
791+
// (suppose a user adds an env var in the "New Build" UI with a value that
792+
// exploits a command injection in Bash), the pre-bootstrap hook should do
793+
// this validation *without* sourcing the file. (If the job env was
794+
// universally safe to source, then we would just pre-populate this env
795+
// with it.)
779796
// - The pre-bootstrap hook may want to create annotations, so it can also
780797
// have a few necessary and global args as env vars.
781798
environ := envutil.New()

0 commit comments

Comments
 (0)