system_command: automatically find secrets from ENV

2019-07-13 23:22:18 +08:00 · 2019-07-13 23:22:18 +08:00 · 1d957c2029
commit 1d957c2029
parent 66697d4290
2 changed files with 16 additions and 1 deletions
--- a/Library/Homebrew/system_command.rb
+++ b/Library/Homebrew/system_command.rb
@ -56,6 +56,7 @@ class SystemCommand
  def initialize(executable, args: [], sudo: false, env: {}, input: [], must_succeed: false,
                 print_stdout: false, print_stderr: true, verbose: false, secrets: [], **options)

+    require "extend/ENV"
    @executable = executable
    @args = args
    @sudo = sudo
@ -63,7 +64,7 @@ class SystemCommand
    @print_stdout = print_stdout
    @print_stderr = print_stderr
    @verbose = verbose
-    @secrets = Array(secrets)
+    @secrets = (Array(secrets) + ENV.sensitive_environment.values).uniq
    @must_succeed = must_succeed
    options.assert_valid_keys!(:chdir)
    @options = options
--- a/Library/Homebrew/test/system_command_spec.rb
+++ b/Library/Homebrew/test/system_command_spec.rb
@ -263,6 +263,20 @@ describe SystemCommand do
                               secrets: %w[hunter2]
        end.to raise_error.with_message(redacted_msg).and output(redacted_msg).to_stdout
      end
+
+      it "does not leak the secrets set by environment" do
+        redacted_msg = /#{Regexp.escape("username:******")}/
+        expect do
+          begin
+            ENV["PASSWORD"] = "hunter2"
+            described_class.run! "curl",
+                                 args:    %w[--user username:hunter2],
+                                 verbose: true
+          ensure
+            ENV.delete "PASSWORD"
+          end
+        end.to raise_error.with_message(redacted_msg).and output(redacted_msg).to_stdout
+      end
    end
  end
 end