From afae6499671d8d8c61d619982debe4bf9d295dd0 Mon Sep 17 00:00:00 2001 From: Nicolas Vuillamy Date: Sun, 28 May 2023 18:25:04 +0200 Subject: [PATCH] Secure pre-command & post-command environment variables by default (#2695) * Secure pre-command & post-command environment variables by default * typo * [MegaLinter] Apply linters fixes --------- Co-authored-by: nvuillam --- .trivyignore | 1 + CHANGELOG.md | 11 ++++++++--- README.md | 4 +++- docs/config-postcommands.md | 1 + docs/config-precommands.md | 1 + docs/config-variables-security.md | 2 +- docs/descriptors/powershell_powershell.md | 2 +- docs/descriptors/powershell_powershell_formatter.md | 2 +- .../schemas/megalinter-configuration.jsonschema.json | 10 ++++++++-- megalinter/pre_post_factory.py | 7 ++++++- megalinter/reporters/GitlabCommentReporter.py | 6 +++++- 11 files changed, 36 insertions(+), 11 deletions(-) diff --git a/.trivyignore b/.trivyignore index 96129cbcc69..b59869543ee 100644 --- a/.trivyignore +++ b/.trivyignore @@ -161,6 +161,7 @@ CVE-2023-0842 CVE-2023-28840 CVE-2023-29017 CVE-2023-29199 +CVE-2023-29491 CVE-2023-30547 CVE-2023-32314 DS001 diff --git a/CHANGELOG.md b/CHANGELOG.md index d9ed5cc9161..2fea12e9110 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,14 +8,19 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-linter.yml file, or with `oxsecurity/megalinter:beta` docker image -- Quick Fix mega-linter-runner --upgrade - - Dead link to configuration.md - - Regex issue with megalinter-reports +- Secure PRE_COMMANDS and POST_COMMANDS by default + - Can be disabled with **secured_env: false** in the command definition - Linter versions upgrades - [checkstyle](https://checkstyle.sourceforge.io) from 10.11.0 to **10.12.0** on 2023-05-27 +## [v7.0.2] - 2023-05-27 + +- Quick Fix mega-linter-runner --upgrade (Warning: bug with npm, not publish yet in mega-linter-runner) + - Dead link to configuration.md + - Regex issue with megalinter-reports + ## [v7.0.0] - 2023-05-27 To upgrade to MegaLinter v7, run `npx mega-linter-runner@latest --upgrade` , comment [here](https://github.com/oxsecurity/megalinter/issues/2692) if you have any issue :) diff --git a/README.md b/README.md index d77f1a76868..d815c735690 100644 --- a/README.md +++ b/README.md @@ -1098,6 +1098,7 @@ PRE_COMMANDS: cwd: "root" # Will be run at the root of MegaLinter docker image - command: echo "pre-test command has been called" cwd: "workspace" # Will be run at the root of the workspace (usually your repository root) + continue_if_failed: False # Will stop the process if command is failed (return code > 0) - command: pip install flake8-cognitive-complexity venv: flake8 # Will be run within flake8 python virtualenv. There is one virtualenv per python-based linter, with the same name ``` @@ -1120,6 +1121,7 @@ Example in `.mega-linter.yml` config file POST_COMMANDS: - command: npm run test cwd: "workspace" # Will be run at the root of the workspace (usually your repository root) + continue_if_failed: False # Will stop the process if command is failed (return code > 0) ``` @@ -1188,7 +1190,7 @@ SECURED_ENV_VARIABLES=MY_SECRET_TOKEN,ANOTHER_VAR_CONTAINING_SENSITIVE_DATA,OX_A Notes: - If you override SECURED_ENV_VARIABLES_DEFAULT, it replaces the default list, so it's better to only define SECURED_ENV_VARIABLES to add them to the default list ! -- Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for [PRE_COMMANDS](https://github.com/oxsecurity/megalinter/tree/main/docs/config-precommands.md) , as you might need secured values within their code. +- Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for [PRE_COMMANDS](https://github.com/oxsecurity/megalinter/tree/main/docs/config-precommands.md) , ONLY if you define `secured_env: false` in the command. diff --git a/docs/config-postcommands.md b/docs/config-postcommands.md index 524b15fcfd0..64f04953331 100644 --- a/docs/config-postcommands.md +++ b/docs/config-postcommands.md @@ -16,6 +16,7 @@ Example in `.mega-linter.yml` config file POST_COMMANDS: - command: npm run test cwd: "workspace" # Will be run at the root of the workspace (usually your repository root) + continue_if_failed: False # Will stop the process if command is failed (return code > 0) ``` diff --git a/docs/config-precommands.md b/docs/config-precommands.md index e7f861c46e5..71013a57245 100644 --- a/docs/config-precommands.md +++ b/docs/config-precommands.md @@ -18,6 +18,7 @@ PRE_COMMANDS: cwd: "root" # Will be run at the root of MegaLinter docker image - command: echo "pre-test command has been called" cwd: "workspace" # Will be run at the root of the workspace (usually your repository root) + continue_if_failed: False # Will stop the process if command is failed (return code > 0) - command: pip install flake8-cognitive-complexity venv: flake8 # Will be run within flake8 python virtualenv. There is one virtualenv per python-based linter, with the same name ``` diff --git a/docs/config-variables-security.md b/docs/config-variables-security.md index f65b19157b7..f0beae45c56 100644 --- a/docs/config-variables-security.md +++ b/docs/config-variables-security.md @@ -64,7 +64,7 @@ SECURED_ENV_VARIABLES=MY_SECRET_TOKEN,ANOTHER_VAR_CONTAINING_SENSITIVE_DATA,OX_A Notes: - If you override SECURED_ENV_VARIABLES_DEFAULT, it replaces the default list, so it's better to only define SECURED_ENV_VARIABLES to add them to the default list ! -- Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for [PRE_COMMANDS](config-precommands.md) , as you might need secured values within their code. +- Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for [PRE_COMMANDS](config-precommands.md) , ONLY if you define `secured_env: false` in the command. diff --git a/docs/descriptors/powershell_powershell.md b/docs/descriptors/powershell_powershell.md index 5aafef91272..0fe2de4a44c 100644 --- a/docs/descriptors/powershell_powershell.md +++ b/docs/descriptors/powershell_powershell.md @@ -38,7 +38,7 @@ description: How to use powershell (configure, ignore files, ignore errors, help | POWERSHELL_POWERSHELL_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules | | POWERSHELL_POWERSHELL_DISABLE_ERRORS | Run linter but consider errors as warnings | `false` | | POWERSHELL_POWERSHELL_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | `0` | -| POWERSHELL_POWERSHELL_CLI_EXECUTABLE | Override CLI executable | `['pwsh']` | +| POWERSHELL_POWERSHELL_CLI_EXECUTABLE | Override CLI executable | `['powershell']` | ## IDE Integration diff --git a/docs/descriptors/powershell_powershell_formatter.md b/docs/descriptors/powershell_powershell_formatter.md index 67cecc13e8b..dbd36c2ddc8 100644 --- a/docs/descriptors/powershell_powershell_formatter.md +++ b/docs/descriptors/powershell_powershell_formatter.md @@ -39,7 +39,7 @@ description: How to use powershell_formatter (configure, ignore files, ignore er | POWERSHELL_POWERSHELL_FORMATTER_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules | | POWERSHELL_POWERSHELL_FORMATTER_DISABLE_ERRORS | Run linter but consider errors as warnings | `true` | | POWERSHELL_POWERSHELL_FORMATTER_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | `0` | -| POWERSHELL_POWERSHELL_FORMATTER_CLI_EXECUTABLE | Override CLI executable | `['pwsh']` | +| POWERSHELL_POWERSHELL_FORMATTER_CLI_EXECUTABLE | Override CLI executable | `['powershell']` | ## IDE Integration diff --git a/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json b/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json index fe67f7c3534..d5cb2030619 100644 --- a/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json +++ b/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json @@ -31,6 +31,12 @@ ], "title": "Folder where to run the command", "type": "string" + }, + "secured_env": { + "Description": "Hides sensitive variables from ENV variables when calling the command", + "default": true, + "title": "Secured Environment Variables", + "type": "boolean" } }, "required": [], @@ -9268,7 +9274,7 @@ "$id": "#/properties/POWERSHELL_POWERSHELL_CLI_EXECUTABLE", "default": [ [ - "pwsh" + "powershell" ] ], "items": { @@ -9367,7 +9373,7 @@ "$id": "#/properties/POWERSHELL_POWERSHELL_FORMATTER_CLI_EXECUTABLE", "default": [ [ - "pwsh" + "powershell" ] ], "items": { diff --git a/megalinter/pre_post_factory.py b/megalinter/pre_post_factory.py index ca00c624207..9f994ed7c11 100644 --- a/megalinter/pre_post_factory.py +++ b/megalinter/pre_post_factory.py @@ -59,8 +59,13 @@ def run_command(command_info, log_key, mega_linter, linter=None): cwd = os.getcwd() if command_info.get("cwd", "root") == "workspace": cwd = mega_linter.workspace + # Secure env by default. Must be explicitly define to false in command definition to be disabled + if "secured_env" not in command_info: + command_info["secured_env"] = True command_info = complete_command(command_info) - subprocess_env = {**config.build_env(mega_linter.request_id, False)} + subprocess_env = { + **config.build_env(mega_linter.request_id, command_info["secured_env"]) + } add_in_logs( linter, log_key, diff --git a/megalinter/reporters/GitlabCommentReporter.py b/megalinter/reporters/GitlabCommentReporter.py index e96f9ca1b6b..8c851e94690 100644 --- a/megalinter/reporters/GitlabCommentReporter.py +++ b/megalinter/reporters/GitlabCommentReporter.py @@ -97,7 +97,11 @@ def produce_report(self): if gitlab_certificate_path != "": # Update certificates and set cert path in gitlab options run_command( - {"cwd": "root", "command": "update-ca-certificates"}, + { + "cwd": "root", + "command": "update-ca-certificates", + "secured_env": False, + }, "GitlabCommentReporter", self.master, )