Filter environment variables when creating child processes

[oheger-bosch]

This PR addresses #5973. Refer to the single commits for further details.

[codecov]

Codecov Report

Base: 57.79% // Head: 57.83% // Increases project coverage by +0.04% 🎉

Coverage data is based on head (23d5657) compared to base (5788347).
Patch coverage: 100.00% of modified lines in pull request are covered.

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #5984      +/-   ##
============================================
+ Coverage     57.79%   57.83%   +0.04%     
- Complexity     2013     2019       +6     
============================================
  Files           324      324              
  Lines         18761    18761              
  Branches       3876     3881       +5     
============================================
+ Hits          10842    10850       +8     
+ Misses         6862     6852      -10     
- Partials       1057     1059       +2     

Flag	Coverage Δ
funTest-non-analyzer	51.01% <0.00%> (+0.06%)	⬆️
test	27.53% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
model/src/main/kotlin/config/OrtConfiguration.kt	97.43% <100.00%> (+0.13%)	⬆️
.../src/main/kotlin/config/LicenseFilenamePatterns.kt
...odel/src/main/kotlin/config/LicenseFilePatterns.kt	86.95% <0.00%> (ø)
analyzer/src/main/kotlin/managers/Bundler.kt	48.07% <0.00%> (+0.19%)	⬆️
cli/src/main/kotlin/commands/AnalyzerCommand.kt	87.19% <0.00%> (+0.60%)	⬆️
cli/src/main/kotlin/commands/ConfigCommand.kt	59.37% <0.00%> (+3.12%)	⬆️
downloader/src/main/kotlin/vcs/Git.kt	74.33% <0.00%> (+5.16%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[sschuberth]

Phew. Looking at the length of this, I really wonder whether the "allow"-approach is the right one.

In either case we should probably consider to support wildcards or regexes, so one could allow / deny e.g. CARGO_*.

[oheger-bosch]

Yes, I was already sceptical when the decision was taken. It will be very difficult to come up with an exhaustive list. In addition, this list will have to be maintained when there are new versions of tools.

Using of wildcards will simplify the configuration, but again increase the risk that an unwanted variable is passed through.

[sschuberth]

I wonder whether we should come up with something completely different... a "crazy" approach could be to look at the entropy of the value of an environment variable to "guess" whether it's likely a password or so, and only then do not pass it on to the spawned process.

Or, instead of a global list, create tool-specific lists that are used in CommandLineTool objects. I.e. we should wrap each tool we call in an object instead of implementing the interface in the main class itself (see MercurialCommand for an example), and each of these objects gets its own (hard-coded) list of allowed environment variables. That should at least ease maintainability a bit.

[oheger-bosch]

I fear the entropy approach is too clever to work in practice.

If the allowed variables were configured at the command line tools, this could indeed make the maintenance a bit easier. But how could these configurations then be extended? For our use case, we will need to pass additional variables with credentials to package managers.

[sschuberth]

Alternatively to this, apply .toSortedMap(String.CASE_INSENSITIVE_ORDER) to environment on Windows before looking up the keys.

[nnobelis]

We should also propagate PATH and PWD.

[oheger-bosch]

PATH really seems to be required. Lots of tests were failing because tools could not be found.

[oheger-bosch]

I have implemented an alternative approach as described in my last comment on #5973. This seems to be significantly easier by (hopefully) offering a comparable level of security.

[sschuberth]

Thinking about it, the term "pattern" in the variable name (and also in the docs above) probably is a bit too auspicious as these neither are glob nor regex patterns (I was looking for docs by which principle patterns are matched). So, as this simply is a case-insensitive sub-string search, maybe just use "term"?

[sschuberth]

Or "substrings", also see my comment about not using a regexes below.

[oheger-bosch]

Now using the term "substrings" (hopefully) everywhere.

[sschuberth]

BTW, this line confirms me that "patters" is the wrong word for the variable, because if they already were patters, there would be no point in converting them toPatterns().

[sschuberth]

BTW @oheger-bosch, did you forget to push?

[oheger-bosch]

BTW @oheger-bosch, did you forget to push?

I did not manage to finish this yesterday. Sorry for the confusion. Now all changes should be available.

[sschuberth]

Just some (hopefully) final nits.

[sschuberth]

Just wondering, why are you using . as a separator before the DB_CONN? For a more realistic example, shouldn't it be @?

[oheger-bosch]

Yes, but the "@" character could be problematic when it is interpreted by the shell. I did not want to mess around with escaping syntax, since for the test it is only relevant that some of the values are replaced while others are not.

[nnobelis]

Having a function that modifies it parameters AND returns the modified version is a bit of codesmell.

I would rather have either an extension function MutableMap<String, String>.filter or no return value.

[sschuberth]

I like the idea of an extension function that only filters in-place.

[oheger-bosch]

The parameter is returned to have a single expression in ProcessCapture where the filter is applied. I am not sure whether I understand the proposal for an extension function. How would the signature of such an extension function look like and how would it help in this context?

[nnobelis]

As written MutableMap<String, String>.filter() and applied like that:

with(EnvironmentVariableFilter) {
    environment().filter().putAll(environment)
}

but it is more verbose.

[nnobelis]

Or remove the return value, you don't use it in ProcessCapture.

[oheger-bosch]

Hm, the extension function would suffer from the same codesmell problem, wouldn't it? If it returns a value (this in this case), it is not obvious that filtering was done in-place.

I am fine with removing the return value. It is used in ProcessCapture for the method chaining, but if this becomes more verbose, this should not be a big issue.

[nnobelis]

You're right: since environment() is a MutableMap and there is no 'cleaner' way of changing it, I am find to leave the code as it is.