Merge pull request #271 from php-school/dont-inherit-env

Don't inherit env otherwise we leak all secrets

Author: AydinHassan

src/ExerciseRunner/CgiRunner.php

@@ -198,7 +198,8 @@ private function executePhpFile(string $fileName, RequestInterface $request, str
      */
     private function getProcess(string $fileName, RequestInterface $request): Process
     {
-        $env = [
+        $env = $this->getDefaultEnv();
+        $env += [
             'REQUEST_METHOD'  => $request->getMethod(),
             'SCRIPT_FILENAME' => $fileName,
             'REDIRECT_STATUS' => 302,
@@ -224,6 +225,20 @@ private function getProcess(string $fileName, RequestInterface $request): Proces
         return Process::fromShellCommandline($cmd, null, $env, null, 10);
     }
 
+    /**
+     * We need to reset env entirely, because Symfony inherits it. We do that by setting all
+     * the current env vars to false
+     *
+     * @return array<string, false>
+     */
+    private function getDefaultEnv(): array
+    {
+        $env = array_map(fn () => false, $_ENV);
+        $env + array_map(fn () => false, $_SERVER);
+
+        return $env;
+    }
+
     /**
      * Verifies a solution by invoking PHP via the `php-cgi` binary, populating all the super globals with
      * the information from the request objects returned from the exercise. The exercise can return multiple

src/ExerciseRunner/CliRunner.php

@@ -137,12 +137,27 @@ private function getPhpProcess(string $fileName, ArrayObject $args): Process
         return new Process(
             $args->prepend($fileName)->prepend($this->phpLocation)->getArrayCopy(),
             dirname($fileName),
-            ['XDEBUG_MODE' => 'off'],
+            $this->getDefaultEnv() + ['XDEBUG_MODE' => 'off'],
             null,
             10
         );
     }
 
+    /**
+     * We need to reset env entirely, because Symfony inherits it. We do that by setting all
+     * the current env vars to false
+     *
+     * @return array<string, false>
+     */
+    private function getDefaultEnv(): array
+    {
+        $env = array_map(fn () => false, $_ENV);
+        $env + array_map(fn () => false, $_SERVER);
+
+        return $env;
+    }
+
+
     /**
      * Verifies a solution by invoking PHP from the CLI passing the arguments gathered from the exercise
      * as command line arguments to PHP.