Skip to content

Commit

Permalink
Secure pre-command & post-command environment variables by default (#…
Browse files Browse the repository at this point in the history
…2695)

* Secure pre-command & post-command environment variables by default

* typo

* [MegaLinter] Apply linters fixes

---------

Co-authored-by: nvuillam <nvuillam@users.noreply.github.com>
  • Loading branch information
nvuillam and nvuillam authored May 28, 2023
1 parent bdf1e5e commit afae649
Show file tree
Hide file tree
Showing 11 changed files with 36 additions and 11 deletions.
1 change: 1 addition & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ CVE-2023-0842
CVE-2023-28840
CVE-2023-29017
CVE-2023-29199
CVE-2023-29491
CVE-2023-30547
CVE-2023-32314
DS001
Expand Down
11 changes: 8 additions & 3 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,19 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-linter.yml file, or with `oxsecurity/megalinter:beta` docker image

- Quick Fix mega-linter-runner --upgrade
- Dead link to configuration.md
- Regex issue with megalinter-reports
- Secure PRE_COMMANDS and POST_COMMANDS by default
- Can be disabled with **secured_env: false** in the command definition

- Linter versions upgrades
- [checkstyle](https://checkstyle.sourceforge.io) from 10.11.0 to **10.12.0** on 2023-05-27
<!-- linter-versions-end -->

## [v7.0.2] - 2023-05-27

- Quick Fix mega-linter-runner --upgrade (Warning: bug with npm, not publish yet in mega-linter-runner)
- Dead link to configuration.md
- Regex issue with megalinter-reports

## [v7.0.0] - 2023-05-27

To upgrade to MegaLinter v7, run `npx mega-linter-runner@latest --upgrade` , comment [here](https://github.com/oxsecurity/megalinter/issues/2692) if you have any issue :)
Expand Down
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1098,6 +1098,7 @@ PRE_COMMANDS:
cwd: "root" # Will be run at the root of MegaLinter docker image
- command: echo "pre-test command has been called"
cwd: "workspace" # Will be run at the root of the workspace (usually your repository root)
continue_if_failed: False # Will stop the process if command is failed (return code > 0)
- command: pip install flake8-cognitive-complexity
venv: flake8 # Will be run within flake8 python virtualenv. There is one virtualenv per python-based linter, with the same name
```
Expand All @@ -1120,6 +1121,7 @@ Example in `.mega-linter.yml` config file
POST_COMMANDS:
- command: npm run test
cwd: "workspace" # Will be run at the root of the workspace (usually your repository root)
continue_if_failed: False # Will stop the process if command is failed (return code > 0)
```

<!-- config-postcommands-section-end -->
Expand Down Expand Up @@ -1188,7 +1190,7 @@ SECURED_ENV_VARIABLES=MY_SECRET_TOKEN,ANOTHER_VAR_CONTAINING_SENSITIVE_DATA,OX_A
Notes:

- If you override SECURED_ENV_VARIABLES_DEFAULT, it replaces the default list, so it's better to only define SECURED_ENV_VARIABLES to add them to the default list !
- Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for [PRE_COMMANDS](https://github.com/oxsecurity/megalinter/tree/main/docs/config-precommands.md) , as you might need secured values within their code.
- Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for [PRE_COMMANDS](https://github.com/oxsecurity/megalinter/tree/main/docs/config-precommands.md) , ONLY if you define `secured_env: false` in the command.

<!-- config-variables-security-section-end -->
<!-- config-cli-lint-mode-section-start -->
Expand Down
1 change: 1 addition & 0 deletions docs/config-postcommands.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ Example in `.mega-linter.yml` config file
POST_COMMANDS:
- command: npm run test
cwd: "workspace" # Will be run at the root of the workspace (usually your repository root)
continue_if_failed: False # Will stop the process if command is failed (return code > 0)
```
Expand Down
1 change: 1 addition & 0 deletions docs/config-precommands.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ PRE_COMMANDS:
cwd: "root" # Will be run at the root of MegaLinter docker image
- command: echo "pre-test command has been called"
cwd: "workspace" # Will be run at the root of the workspace (usually your repository root)
continue_if_failed: False # Will stop the process if command is failed (return code > 0)
- command: pip install flake8-cognitive-complexity
venv: flake8 # Will be run within flake8 python virtualenv. There is one virtualenv per python-based linter, with the same name
```
Expand Down
2 changes: 1 addition & 1 deletion docs/config-variables-security.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ SECURED_ENV_VARIABLES=MY_SECRET_TOKEN,ANOTHER_VAR_CONTAINING_SENSITIVE_DATA,OX_A
Notes:

- If you override SECURED_ENV_VARIABLES_DEFAULT, it replaces the default list, so it's better to only define SECURED_ENV_VARIABLES to add them to the default list !
- Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for [PRE_COMMANDS](config-precommands.md) , as you might need secured values within their code.
- Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for [PRE_COMMANDS](config-precommands.md) , ONLY if you define `secured_env: false` in the command.


<!-- config-variables-security-section-end -->
2 changes: 1 addition & 1 deletion docs/descriptors/powershell_powershell.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ description: How to use powershell (configure, ignore files, ignore errors, help
| POWERSHELL_POWERSHELL_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| POWERSHELL_POWERSHELL_DISABLE_ERRORS | Run linter but consider errors as warnings | `false` |
| POWERSHELL_POWERSHELL_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | `0` |
| POWERSHELL_POWERSHELL_CLI_EXECUTABLE | Override CLI executable | `['pwsh']` |
| POWERSHELL_POWERSHELL_CLI_EXECUTABLE | Override CLI executable | `['powershell']` |

## IDE Integration

Expand Down
2 changes: 1 addition & 1 deletion docs/descriptors/powershell_powershell_formatter.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ description: How to use powershell_formatter (configure, ignore files, ignore er
| POWERSHELL_POWERSHELL_FORMATTER_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| POWERSHELL_POWERSHELL_FORMATTER_DISABLE_ERRORS | Run linter but consider errors as warnings | `true` |
| POWERSHELL_POWERSHELL_FORMATTER_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | `0` |
| POWERSHELL_POWERSHELL_FORMATTER_CLI_EXECUTABLE | Override CLI executable | `['pwsh']` |
| POWERSHELL_POWERSHELL_FORMATTER_CLI_EXECUTABLE | Override CLI executable | `['powershell']` |

## IDE Integration

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,12 @@
],
"title": "Folder where to run the command",
"type": "string"
},
"secured_env": {
"Description": "Hides sensitive variables from ENV variables when calling the command",
"default": true,
"title": "Secured Environment Variables",
"type": "boolean"
}
},
"required": [],
Expand Down Expand Up @@ -9268,7 +9274,7 @@
"$id": "#/properties/POWERSHELL_POWERSHELL_CLI_EXECUTABLE",
"default": [
[
"pwsh"
"powershell"
]
],
"items": {
Expand Down Expand Up @@ -9367,7 +9373,7 @@
"$id": "#/properties/POWERSHELL_POWERSHELL_FORMATTER_CLI_EXECUTABLE",
"default": [
[
"pwsh"
"powershell"
]
],
"items": {
Expand Down
7 changes: 6 additions & 1 deletion megalinter/pre_post_factory.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,13 @@ def run_command(command_info, log_key, mega_linter, linter=None):
cwd = os.getcwd()
if command_info.get("cwd", "root") == "workspace":
cwd = mega_linter.workspace
# Secure env by default. Must be explicitly define to false in command definition to be disabled
if "secured_env" not in command_info:
command_info["secured_env"] = True
command_info = complete_command(command_info)
subprocess_env = {**config.build_env(mega_linter.request_id, False)}
subprocess_env = {
**config.build_env(mega_linter.request_id, command_info["secured_env"])
}
add_in_logs(
linter,
log_key,
Expand Down
6 changes: 5 additions & 1 deletion megalinter/reporters/GitlabCommentReporter.py
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,11 @@ def produce_report(self):
if gitlab_certificate_path != "":
# Update certificates and set cert path in gitlab options
run_command(
{"cwd": "root", "command": "update-ca-certificates"},
{
"cwd": "root",
"command": "update-ca-certificates",
"secured_env": False,
},
"GitlabCommentReporter",
self.master,
)
Expand Down

0 comments on commit afae649

Please sign in to comment.