Merge pull request #53 from haya14busa/project-run4-security

ProjectConf: hide secret environment variables from command executions
reviewdog · Dec 12, 2016 · f60bac3 · f60bac3
2 parents ba2a9ee + e96d92d
commit f60bac3
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/project/run.go b/project/run.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"os"
 	"os/exec"
 
 	"golang.org/x/sync/errgroup"
@@ -13,6 +14,8 @@ import (
 
 // Run runs reviewdog tasks based on Config.
 func Run(ctx context.Context, conf *Config, c reviewdog.CommentService, d reviewdog.DiffService) error {
+	// environment variables for each commands
+	envs := filteredEnviron()
 	var g errgroup.Group
 	for _, runner := range conf.Runner {
 		fname := runner.Format
@@ -26,6 +29,7 @@ func Run(ctx context.Context, conf *Config, c reviewdog.CommentService, d review
 		}
 		rd := reviewdog.NewReviewdog(runner.Name, p, c, d)
 		cmd := exec.CommandContext(ctx, "sh", "-c", runner.Cmd)
+		cmd.Env = envs
 		stdout, err := cmd.StdoutPipe()
 		stderr, err := cmd.StderrPipe()
 		if err != nil {
@@ -43,3 +47,15 @@ func Run(ctx context.Context, conf *Config, c reviewdog.CommentService, d review
 	}
 	return nil
 }
+
+var secretEnvs = [...]string{
+	"REVIEWDOG_GITHUB_API_TOKEN",
+}
+
+func filteredEnviron() []string {
+	for _, name := range secretEnvs {
+		defer os.Setenv(name, os.Getenv(name))
+		os.Setenv(name, "")
+	}
+	return os.Environ()
+}
diff --git a/project/run_test.go b/project/run_test.go
@@ -3,6 +3,8 @@ package project
 import (
 	"context"
 	"errors"
+	"os"
+	"strings"
 	"testing"
 
 	"github.com/haya14busa/reviewdog"
@@ -123,3 +125,26 @@ func TestRun(t *testing.T) {
 	})
 
 }
+
+func TestFilteredEnviron(t *testing.T) {
+	const name = "REVIEWDOG_GITHUB_API_TOKEN"
+	defer os.Setenv(name, os.Getenv(name))
+	os.Setenv(name, "value")
+
+	filtered := filteredEnviron()
+	if len(filtered) != len(os.Environ()) {
+		t.Errorf("len(filtered) != len(os.Environ()), %v != %v", len(filtered), len(os.Environ()))
+	}
+
+	for _, kv := range filtered {
+		if strings.HasPrefix(kv, name) && kv != name+"=" {
+			t.Errorf("filtered: %v, want %v=", kv, name)
+		}
+	}
+
+	for _, kv := range os.Environ() {
+		if strings.HasPrefix(kv, name) && kv != name+"=value" {
+			t.Errorf("envs: %v, want %v=value", kv, name)
+		}
+	}
+}