Skip assessment if environment variable is empty (#194)

goodwithtech · Jul 23, 2022 · ff13dd0 · ff13dd0
1 parent d62b963
commit ff13dd0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/pkg/assessor/manifest/manifest.go b/pkg/assessor/manifest/manifest.go
@@ -237,7 +237,12 @@ func sensitiveVars(cmd string) (bool, string) {
 		if !strings.Contains(word, "=") {
 			continue
 		}
-		varName := strings.Split(word, "=")[0]
+		vars := strings.Split(word, "=")
+		varName, varVal := vars[0], vars[1]
+		if varVal == "" {
+			continue
+		}
+
 		if _, ok := acceptanceEnvKey[varName]; ok {
 			continue
 		}

diff --git a/pkg/assessor/manifest/manifest_test.go b/pkg/assessor/manifest/manifest_test.go
@@ -410,8 +410,10 @@ func TestSensitiveVars(t *testing.T) {
 		expected bool
 	}{
 		"basic":              {cmd: "/bin/sh -c #(nop) ENV PASS=ADMIN", expected: true},
+		"empty value":        {cmd: "/bin/sh -c #(nop) ENV PASS=", expected: false},
 		"mixed cases":        {cmd: "/bin/sh -c #(nop) ENV PasS=ADMIN", expected: true},
 		"two vars":           {cmd: "/bin/sh -c #(nop) ENV abc=hello password=sensibledata", expected: true},
+		"empty two value":    {cmd: "/bin/sh -c #(nop) ENV ABC=hello PASS= ", expected: false},
 		"run command":        {cmd: `/bin/sh -c  SECRET_API_KEY=63AF7AA15067C05616FDDD88A3A2E8F226F0BC06 echo "data"`, expected: true},
 		"run false positive": {cmd: `/bin/sh -c HELLO="PASS=\"notThis\"" echo "false positive"`, expected: false},
 		"run command 2":      {cmd: `/bin/sh -c SECRET=myLittleSecret VAR2=VALUE2 VAR3=VALUE3 echo "Do something"`, expected: true},