From e2bce1e321313408957938302815640b095ddec9 Mon Sep 17 00:00:00 2001
From: Matthias Beyer <mail@beyermatthias.de>
Date: Tue, 8 Dec 2020 14:16:51 +0100
Subject: Implement checking of allowed environment variables

Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
---
 src/job/runnable.rs | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

(limited to 'src/job')

diff --git a/src/job/runnable.rs b/src/job/runnable.rs
index 6d36189..98f0bf9 100644
--- a/src/job/runnable.rs
+++ b/src/job/runnable.rs
@@ -5,7 +5,7 @@ use anyhow::Error;
 use anyhow::Result;
 use anyhow::anyhow;
 use getset::Getters;
-use log::{warn, trace};
+use log::{debug, warn, trace};
 use tokio::stream::StreamExt;
 use uuid::Uuid;
 
@@ -46,9 +46,6 @@ pub struct RunnableJob {
 
 impl RunnableJob {
     pub async fn build_from_job(job: Job, merged_stores: &MergedStores, source_cache: &SourceCache, config: &Configuration) -> Result<Self> {
-        let script = ScriptBuilder::new(&job.script_shebang)
-            .build(&job.package, &job.script_phases, *config.strict_script_interpolation())?;
-
         trace!("Preparing build dependencies");
         let resources = {
             let deps = job.package().dependencies();
@@ -73,6 +70,28 @@ impl RunnableJob {
             build
         };
 
+        if config.containers().check_env_names() {
+            debug!("Checking environment if all variables are allowed!");
+            let _ = Self::env_resources(job.resources(), job.package().environment().as_ref())
+                .into_iter()
+                .inspect(|(name, _)| debug!("Checking: {}", name))
+                .map(|(name, _)| {
+                    if !config.containers().allowed_env().contains(&name) {
+                        Err(anyhow!("Environment variable name not allowed: {}", name))
+                    } else {
+                        Ok(())
+                    }
+                })
+                .collect::<Result<()>>()
+                .with_context(|| anyhow!("Checking allowed variables for package {} {}", job.package().name(), job.package().version()))
+                .context("Checking allowed variable names")?;
+        } else {
+            debug!("Environment checking disabled");
+        }
+
+        let script = ScriptBuilder::new(&job.script_shebang)
+            .build(&job.package, &job.script_phases, *config.strict_script_interpolation())?;
+
         Ok(RunnableJob {
             uuid: job.uuid,
             package: job.package,
-- 
cgit v1.2.3