Strip INPUT_* env variables from subprocesses

2021-05-05 16:32:13 -04:00 · 2021-05-05 16:32:13 -04:00 · fad1bf5141
parent 3491e2eeea
commit fad1bf5141
3 changed files with 21 additions and 2 deletions
--- a/packages/exec/tests/exec.test.ts
+++ b/packages/exec/tests/exec.test.ts
@ -1,4 +1,5 @@
 import * as exec from '../src/exec'
+import * as tr from '../src/toolrunner'
 import * as im from '../src/interfaces'

 import * as childProcess from 'child_process'
@ -620,6 +621,14 @@ describe('@actions/exec', () => {
    expect(output.trim()).toBe(`args[0]: "hello"${os.EOL}args[1]: "world"`)
  })

+  it('tool runner strips INPUT_ params from environment for child process', () => {
+    const env = {INPUT_TEST: 'input value', SOME_OTHER_ENV: 'some other value'}
+    const sanitizedEnv = tr.stripInputEnvironmentVariables(env)
+
+    expect(sanitizedEnv).not.toHaveProperty('INPUT_TEST')
+    expect(sanitizedEnv).toHaveProperty('SOME_OTHER_ENV')
+  })
+
  if (IS_WINDOWS) {
    it('Exec roots relative tool path using process.cwd (Windows path separator)', async () => {
      let exitCode: number
--- a/packages/exec/src/interfaces.ts
+++ b/packages/exec/src/interfaces.ts
@ -6,7 +6,7 @@ export interface ExecOptions {
  /** optional working directory.  defaults to current */
  cwd?: string

-  /** optional envvar dictionary.  defaults to current process's env */
+  /** optional envvar dictionary.  defaults to current process's env with `INPUT_*` variables removed */
  env?: {[key: string]: string}

  /** optional.  defaults to false */
--- a/packages/exec/src/toolrunner.ts
+++ b/packages/exec/src/toolrunner.ts
@ -377,7 +377,7 @@ export class ToolRunner extends events.EventEmitter {
    options = options || <im.ExecOptions>{}
    const result = <child.SpawnOptions>{}
    result.cwd = options.cwd
-    result.env = options.env
+    result.env = options.env || stripInputEnvironmentVariables(process.env)
    result['windowsVerbatimArguments'] =
      options.windowsVerbatimArguments || this._isCmdFile()
    if (options.windowsVerbatimArguments) {
@ -600,6 +600,16 @@ export function argStringToArray(argString: string): string[] {
  return args
 }

+// Strips INPUT_ environment variables to prevent them leaking to child processes
+export function stripInputEnvironmentVariables(env: NodeJS.ProcessEnv): NodeJS.ProcessEnv {
+  return Object.entries(env).filter(([key, value]) => {
+    return !key.startsWith('INPUT_')
+  }).reduce((obj: NodeJS.ProcessEnv, [key, value]) => {
+    obj[key] = value
+    return obj
+  }, {})
+}
+
 class ExecState extends events.EventEmitter {
  constructor(options: im.ExecOptions, toolPath: string) {
    super()