diff options
| author | Matthias Beyer <mail@beyermatthias.de> | 2020-12-08 14:16:51 +0100 |
|---|---|---|
| committer | Matthias Beyer <mail@beyermatthias.de> | 2020-12-08 14:47:58 +0100 |
| commit | e2bce1e321313408957938302815640b095ddec9 (patch) | |
| tree | 2e1a36beae85a36b8d8b377a218c1e26c7cd1f59 /src/job | |
| parent | 25ffcbbd37a983d2031a6aa172730d6957b0a6a6 (diff) | |
Implement checking of allowed environment variables
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
Diffstat (limited to 'src/job')
| -rw-r--r-- | src/job/runnable.rs | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/src/job/runnable.rs b/src/job/runnable.rs index 6d36189..98f0bf9 100644 --- a/src/job/runnable.rs +++ b/src/job/runnable.rs @@ -5,7 +5,7 @@ use anyhow::Error; use anyhow::Result; use anyhow::anyhow; use getset::Getters; -use log::{warn, trace}; +use log::{debug, warn, trace}; use tokio::stream::StreamExt; use uuid::Uuid; @@ -46,9 +46,6 @@ pub struct RunnableJob { impl RunnableJob { pub async fn build_from_job(job: Job, merged_stores: &MergedStores, source_cache: &SourceCache, config: &Configuration) -> Result<Self> { - let script = ScriptBuilder::new(&job.script_shebang) - .build(&job.package, &job.script_phases, *config.strict_script_interpolation())?; - trace!("Preparing build dependencies"); let resources = { let deps = job.package().dependencies(); @@ -73,6 +70,28 @@ impl RunnableJob { build }; + if config.containers().check_env_names() { + debug!("Checking environment if all variables are allowed!"); + let _ = Self::env_resources(job.resources(), job.package().environment().as_ref()) + .into_iter() + .inspect(|(name, _)| debug!("Checking: {}", name)) + .map(|(name, _)| { + if !config.containers().allowed_env().contains(&name) { + Err(anyhow!("Environment variable name not allowed: {}", name)) + } else { + Ok(()) + } + }) + .collect::<Result<()>>() + .with_context(|| anyhow!("Checking allowed variables for package {} {}", job.package().name(), job.package().version())) + .context("Checking allowed variable names")?; + } else { + debug!("Environment checking disabled"); + } + + let script = ScriptBuilder::new(&job.script_shebang) + .build(&job.package, &job.script_phases, *config.strict_script_interpolation())?; + Ok(RunnableJob { uuid: job.uuid, package: job.package, |