Merge pull request #2524 from MikeMcQuaid/more-env-filtering-fixes

Hide sensitive tokens from install/test/post.
2017-04-23 09:45:47 +01:00 · 2017-04-23 09:45:47 +01:00 · 11acadaa50
commit 11acadaa50
parent cb17a80577 d02b4f321d
9 changed files with 48 additions and 14 deletions
--- a/Library/Homebrew/dev-cmd/mirror.rb
+++ b/Library/Homebrew/dev-cmd/mirror.rb
@ -8,10 +8,10 @@ module Homebrew
  def mirror
    odie "This command requires at least formula argument!" if ARGV.named.empty?

-    bintray_user = ENV["BINTRAY_USER"]
-    bintray_key = ENV["BINTRAY_KEY"]
+    bintray_user = ENV["HOMEBREW_BINTRAY_USER"]
+    bintray_key = ENV["HOMEBREW_BINTRAY_KEY"]
    if !bintray_user || !bintray_key
-      raise "Missing BINTRAY_USER or BINTRAY_KEY variables!"
+      raise "Missing HOMEBREW_BINTRAY_USER or HOMEBREW_BINTRAY_KEY variables!"
    end

    ARGV.formulae.each do |f|
--- a/Library/Homebrew/dev-cmd/pull.rb
+++ b/Library/Homebrew/dev-cmd/pull.rb
@ -263,7 +263,7 @@ module Homebrew
    end

    published = []
-    bintray_creds = { user: ENV["BINTRAY_USER"], key: ENV["BINTRAY_KEY"] }
+    bintray_creds = { user: ENV["HOMEBREW_BINTRAY_USER"], key: ENV["HOMEBREW_BINTRAY_KEY"] }
    if bintray_creds[:user] && bintray_creds[:key]
      changed_formulae_names.each do |name|
        f = Formula[name]
@ -272,7 +272,7 @@ module Homebrew
        published << f.full_name
      end
    else
-      opoo "You must set BINTRAY_USER and BINTRAY_KEY to add or update bottles on Bintray!"
+      opoo "You must set HOMEBREW_BINTRAY_USER and HOMEBREW_BINTRAY_KEY to add or update bottles on Bintray!"
    end
    published
  end
--- a/Library/Homebrew/diagnostic.rb
+++ b/Library/Homebrew/diagnostic.rb
@ -439,7 +439,7 @@ module Homebrew

        message = ""

-        paths.each do |p|
+        paths(ENV["HOMEBREW_PATH"]).each do |p|
          case p
          when "/usr/bin"
            unless $seen_prefix_bin
@ -609,7 +609,7 @@ module Homebrew
          /Applications/Server.app/Contents/ServerRoot/usr/sbin
        ].map(&:downcase)

-        paths.each do |p|
+        paths(ENV["HOMEBREW_PATH"]).each do |p|
          next if whitelist.include?(p.downcase) || !File.directory?(p)

          realpath = Pathname.new(p).realpath.to_s
--- a/Library/Homebrew/extend/ENV.rb
+++ b/Library/Homebrew/extend/ENV.rb
@ -26,6 +26,13 @@ module EnvActivation
  ensure
    replace(old_env)
  end
+
+  def clear_sensitive_environment!
+    ENV.keys.each do |key|
+      next unless /(cookie|key|token)/i =~ key
+      ENV.delete key
+    end
+  end
 end

 ENV.extend(EnvActivation)
--- a/Library/Homebrew/formula.rb
+++ b/Library/Homebrew/formula.rb
@ -13,6 +13,7 @@ require "pkg_version"
 require "tap"
 require "keg"
 require "migrator"
+require "extend/ENV"

 # A formula provides instructions and metadata for Homebrew to install a piece
 # of software. Every Homebrew formula is a {Formula}.
@ -1013,10 +1014,17 @@ class Formula
    @prefix_returns_versioned_prefix = true
    build = self.build
    self.build = Tab.for_formula(self)
+
    old_tmpdir = ENV["TMPDIR"]
    old_temp = ENV["TEMP"]
    old_tmp = ENV["TMP"]
+    old_path = ENV["HOMEBREW_PATH"]
+
    ENV["TMPDIR"] = ENV["TEMP"] = ENV["TMP"] = HOMEBREW_TEMP
+    ENV["HOMEBREW_PATH"] = nil
+
+    ENV.clear_sensitive_environment!
+
    with_logging("post_install") do
      post_install
    end
@ -1025,6 +1033,7 @@ class Formula
    ENV["TMPDIR"] = old_tmpdir
    ENV["TEMP"] = old_temp
    ENV["TMP"] = old_tmp
+    ENV["HOMEBREW_PATH"] = old_path
    @prefix_returns_versioned_prefix = false
  end

@ -1664,9 +1673,15 @@ class Formula
    old_temp = ENV["TEMP"]
    old_tmp = ENV["TMP"]
    old_term = ENV["TERM"]
+    old_path = ENV["HOMEBREW_PATH"]
+
    ENV["CURL_HOME"] = old_curl_home || old_home
    ENV["TMPDIR"] = ENV["TEMP"] = ENV["TMP"] = HOMEBREW_TEMP
    ENV["TERM"] = "dumb"
+    ENV["HOMEBREW_PATH"] = nil
+
+    ENV.clear_sensitive_environment!
+
    mktemp("#{name}-test") do |staging|
      staging.retain! if ARGV.keep_tmp?
      @testpath = staging.tmpdir
@ -1689,6 +1704,7 @@ class Formula
    ENV["TEMP"] = old_temp
    ENV["TMP"] = old_tmp
    ENV["TERM"] = old_term
+    ENV["HOMEBREW_PATH"] = old_path
    @prefix_returns_versioned_prefix = false
  end

@ -1925,17 +1941,24 @@ class Formula
      mkdir_p env_home

      old_home = ENV["HOME"]
-      ENV["HOME"] = env_home
      old_curl_home = ENV["CURL_HOME"]
+      old_path = ENV["HOMEBREW_PATH"]
+
+      ENV["HOME"] = env_home
      ENV["CURL_HOME"] = old_curl_home || old_home
+      ENV["HOMEBREW_PATH"] = nil
+
      setup_home env_home

+      ENV.clear_sensitive_environment!
+
      begin
        yield staging
      ensure
        @buildpath = nil
        ENV["HOME"] = old_home
        ENV["CURL_HOME"] = old_curl_home
+        ENV["HOMEBREW_PATH"] = old_path
      end
    end
  end
--- a/Library/Homebrew/global.rb
+++ b/Library/Homebrew/global.rb
@ -53,7 +53,7 @@ HOMEBREW_PULL_OR_COMMIT_URL_REGEX = %r[https://github\.com/([\w-]+)/([\w-]+)?/(?

 require "compat" unless ARGV.include?("--no-compat") || ENV["HOMEBREW_NO_COMPAT"]

-ORIGINAL_PATHS = ENV["PATH"].split(File::PATH_SEPARATOR).map do |p|
+ORIGINAL_PATHS = ENV["HOMEBREW_PATH"].split(File::PATH_SEPARATOR).map do |p|
  begin
    Pathname.new(p).expand_path
  rescue
--- a/Library/Homebrew/test/diagnostic_spec.rb
+++ b/Library/Homebrew/test/diagnostic_spec.rb
@ -122,8 +122,9 @@ describe Homebrew::Diagnostic::Checks do
  specify "#check_user_path_3" do
    begin
      sbin = HOMEBREW_PREFIX/"sbin"
-      ENV["PATH"] = "#{HOMEBREW_PREFIX}/bin#{File::PATH_SEPARATOR}" +
-                    ENV["PATH"].gsub(/(?:^|#{Regexp.escape(File::PATH_SEPARATOR)})#{Regexp.escape(sbin)}/, "")
+      ENV["HOMEBREW_PATH"] =
+        "#{HOMEBREW_PREFIX}/bin#{File::PATH_SEPARATOR}" +
+        ENV["HOMEBREW_PATH"].gsub(/(?:^|#{Regexp.escape(File::PATH_SEPARATOR)})#{Regexp.escape(sbin)}/, "")
      (sbin/"something").mkpath

      expect(subject.check_user_path_1).to be nil
@ -149,7 +150,9 @@ describe Homebrew::Diagnostic::Checks do
      file = "#{path}/foo-config"
      FileUtils.touch file
      FileUtils.chmod 0755, file
-      ENV["PATH"] = "#{path}#{File::PATH_SEPARATOR}#{ENV["PATH"]}"
+      ENV["HOMEBREW_PATH"] =
+        ENV["PATH"] =
+          "#{path}#{File::PATH_SEPARATOR}#{ENV["PATH"]}"

      expect(subject.check_for_config_scripts)
        .to match('"config" scripts exist')
--- a/Library/Homebrew/test/support/helper/spec/shared_context/integration_test.rb
+++ b/Library/Homebrew/test/support/helper/spec/shared_context/integration_test.rb
@ -72,6 +72,7 @@ RSpec.shared_context "integration test" do

    env.merge!(
      "PATH" => path,
+      "HOMEBREW_PATH" => path,
      "HOMEBREW_BREW_FILE" => HOMEBREW_PREFIX/"bin/brew",
      "HOMEBREW_INTEGRATION_TEST" => command_id_from_args(args),
      "HOMEBREW_TEST_TMPDIR" => TEST_TMPDIR,
--- a/Library/Homebrew/utils.rb
+++ b/Library/Homebrew/utils.rb
@ -406,8 +406,8 @@ def nostdout
  end
 end

-def paths
-  @paths ||= ENV["PATH"].split(File::PATH_SEPARATOR).collect do |p|
+def paths(env_path = ENV["PATH"])
+  @paths ||= env_path.split(File::PATH_SEPARATOR).collect do |p|
    begin
      File.expand_path(p).chomp("/")
    rescue ArgumentError