diff options
| -rw-r--r-- | config.toml | 20 | ||||
| -rw-r--r-- | src/config/container_config.rs | 6 | ||||
| -rw-r--r-- | src/job/runnable.rs | 27 |
3 files changed, 45 insertions, 8 deletions
diff --git a/config.toml b/config.toml index 1cd9626..e68b206 100644 --- a/config.toml +++ b/config.toml @@ -125,7 +125,21 @@ maxjobs = 1 [containers] -# environment variables which are allowed during container start -# This way, errors (typos) when passing environment to a build can be prevented -allowed_env = [ "PATH" ] + +# Restrict the environment that can be passed to the containers +# +# This is a security mechansim to prevent typos when passing environment +# variables (either from package definition or from CLI) to the build jobs in +# the containers. +# +# If this is set to `true`, only the variables named in `allowed_env` will be +# allowed to be passed to the container. If a variable is not in this list, +# butido will fail with an error message. +# +check_env_names = true + +# Environment variables which are allowed to be passed to a container. +# This way, errors (typos) when passing environment to a build can be prevented. +# Double-check this list +allowed_env = [ "FOO", "BAR" ] diff --git a/src/config/container_config.rs b/src/config/container_config.rs index aad17e8..e50c46f 100644 --- a/src/config/container_config.rs +++ b/src/config/container_config.rs @@ -1,10 +1,14 @@ +use getset::CopyGetters; use getset::Getters; use serde::Deserialize; use crate::util::EnvironmentVariableName; -#[derive(Debug, Getters, Deserialize)] +#[derive(Debug, CopyGetters, Getters, Deserialize)] pub struct ContainerConfig { + #[getset(get_copy = "pub")] + check_env_names: bool, + #[getset(get = "pub")] allowed_env: Vec<EnvironmentVariableName>, } diff --git a/src/job/runnable.rs b/src/job/runnable.rs index 6d36189..98f0bf9 100644 --- a/src/job/runnable.rs +++ b/src/job/runnable.rs @@ -5,7 +5,7 @@ use anyhow::Error; use anyhow::Result; use anyhow::anyhow; use getset::Getters; -use log::{warn, trace}; +use log::{debug, warn, trace}; use tokio::stream::StreamExt; use uuid::Uuid; @@ -46,9 +46,6 @@ pub struct RunnableJob { impl RunnableJob { pub async fn build_from_job(job: Job, merged_stores: &MergedStores, source_cache: &SourceCache, config: &Configuration) -> Result<Self> { - let script = ScriptBuilder::new(&job.script_shebang) - .build(&job.package, &job.script_phases, *config.strict_script_interpolation())?; - trace!("Preparing build dependencies"); let resources = { let deps = job.package().dependencies(); @@ -73,6 +70,28 @@ impl RunnableJob { build }; + if config.containers().check_env_names() { + debug!("Checking environment if all variables are allowed!"); + let _ = Self::env_resources(job.resources(), job.package().environment().as_ref()) + .into_iter() + .inspect(|(name, _)| debug!("Checking: {}", name)) + .map(|(name, _)| { + if !config.containers().allowed_env().contains(&name) { + Err(anyhow!("Environment variable name not allowed: {}", name)) + } else { + Ok(()) + } + }) + .collect::<Result<()>>() + .with_context(|| anyhow!("Checking allowed variables for package {} {}", job.package().name(), job.package().version())) + .context("Checking allowed variable names")?; + } else { + debug!("Environment checking disabled"); + } + + let script = ScriptBuilder::new(&job.script_shebang) + .build(&job.package, &job.script_phases, *config.strict_script_interpolation())?; + Ok(RunnableJob { uuid: job.uuid, package: job.package, |