Hide sensitive tokens from install/test/post.

Hide these tokens to avoid malicious subprocesses e.g. sending them over the network. Also, support using these tokens with environment filtering and clear `HOMEBREW_PATH` from subprocesses to stop them sniffing it. Finally, use `HOMEBREW_PATH` to detect Homebrew’s user’s PATH for e.g. `brew doctor` etc.

Hide sensitive tokens from install/test/post.
d02b4f32 · Mike McQuaid · 206d6de8 · d02b4f32 · d02b4f32 · d02b4f32
Commit d02b4f32 authored 7 years ago by Mike McQuaid
--- a/Library/Homebrew/dev-cmd/mirror.rb
+++ b/Library/Homebrew/dev-cmd/mirror.rb
@@ -8,10 +8,10 @@ module Homebrew
  def mirror
    odie "This command requires at least formula argument!" if ARGV.named.empty?
-    bintray_user = ENV["BINTRAY_USER"]
+    bintray_user = ENV["HOMEBREW_BINTRAY_USER"]
-    bintray_key = ENV["BINTRAY_KEY"]
+    bintray_key = ENV["HOMEBREW_BINTRAY_KEY"]
    if !bintray_user || !bintray_key
-      raise "Missing BINTRAY_USER or BINTRAY_KEY variables!"
+      raise "Missing HOMEBREW_BINTRAY_USER or HOMEBREW_BINTRAY_KEY variables!"
    end
    ARGV.formulae.each do |f|

--- a/Library/Homebrew/dev-cmd/pull.rb
+++ b/Library/Homebrew/dev-cmd/pull.rb
@@ -263,7 +263,7 @@ module Homebrew
    end
    published = []
-    bintray_creds = { user: ENV["BINTRAY_USER"], key: ENV["BINTRAY_KEY"] }
+    bintray_creds = { user: ENV["HOMEBREW_BINTRAY_USER"], key: ENV["HOMEBREW_BINTRAY_KEY"] }
    if bintray_creds[:user] && bintray_creds[:key]
      changed_formulae_names.each do |name|
        f = Formula[name]
@@ -272,7 +272,7 @@ module Homebrew
        published << f.full_name
      end
    else
-      opoo "You must set BINTRAY_USER and BINTRAY_KEY to add or update bottles on Bintray!"
+      opoo "You must set HOMEBREW_BINTRAY_USER and HOMEBREW_BINTRAY_KEY to add or update bottles on Bintray!"
    end
    published
  end

--- a/Library/Homebrew/diagnostic.rb
+++ b/Library/Homebrew/diagnostic.rb
@@ -439,7 +439,7 @@ module Homebrew
        message = ""
-        paths.each do |p|
+        paths(ENV["HOMEBREW_PATH"]).each do |p|
          case p
          when "/usr/bin"
            unless $seen_prefix_bin
@@ -609,7 +609,7 @@ module Homebrew
          /Applications/Server.app/Contents/ServerRoot/usr/sbin
        ].map(&:downcase)
-        paths.each do |p|
+        paths(ENV["HOMEBREW_PATH"]).each do |p|
          next if whitelist.include?(p.downcase) || !File.directory?(p)
          realpath = Pathname.new(p).realpath.to_s

--- a/Library/Homebrew/extend/ENV.rb
+++ b/Library/Homebrew/extend/ENV.rb
@@ -26,6 +26,13 @@ module EnvActivation
  ensure
    replace(old_env)
  end
+  def clear_sensitive_environment!
+    ENV.keys.each do |key|
+      next unless /(cookie|key|token)/i =~ key
+      ENV.delete key
+    end
+  end
 end
 ENV.extend(EnvActivation)
--- a/Library/Homebrew/formula.rb
+++ b/Library/Homebrew/formula.rb
@@ -13,6 +13,7 @@ require "pkg_version"
 require "tap"
 require "keg"
 require "migrator"
+require "extend/ENV"
 # A formula provides instructions and metadata for Homebrew to install a piece
 # of software. Every Homebrew formula is a {Formula}.
@@ -1013,10 +1014,17 @@ class Formula
    @prefix_returns_versioned_prefix = true
    build = self.build
    self.build = Tab.for_formula(self)
    old_tmpdir = ENV["TMPDIR"]
    old_temp = ENV["TEMP"]
    old_tmp = ENV["TMP"]
+    old_path = ENV["HOMEBREW_PATH"]
    ENV["TMPDIR"] = ENV["TEMP"] = ENV["TMP"] = HOMEBREW_TEMP
+    ENV["HOMEBREW_PATH"] = nil
+    ENV.clear_sensitive_environment!
    with_logging("post_install") do
      post_install
    end
@@ -1025,6 +1033,7 @@ class Formula
    ENV["TMPDIR"] = old_tmpdir
    ENV["TEMP"] = old_temp
    ENV["TMP"] = old_tmp
+    ENV["HOMEBREW_PATH"] = old_path
    @prefix_returns_versioned_prefix = false
  end
@@ -1664,9 +1673,15 @@ class Formula
    old_temp = ENV["TEMP"]
    old_tmp = ENV["TMP"]
    old_term = ENV["TERM"]
+    old_path = ENV["HOMEBREW_PATH"]
    ENV["CURL_HOME"] = old_curl_home || old_home
    ENV["TMPDIR"] = ENV["TEMP"] = ENV["TMP"] = HOMEBREW_TEMP
    ENV["TERM"] = "dumb"
+    ENV["HOMEBREW_PATH"] = nil
+    ENV.clear_sensitive_environment!
    mktemp("#{name}-test") do |staging|
      staging.retain! if ARGV.keep_tmp?
      @testpath = staging.tmpdir
@@ -1689,6 +1704,7 @@ class Formula
    ENV["TEMP"] = old_temp
    ENV["TMP"] = old_tmp
    ENV["TERM"] = old_term
+    ENV["HOMEBREW_PATH"] = old_path
    @prefix_returns_versioned_prefix = false
  end
@@ -1925,17 +1941,24 @@ class Formula
      mkdir_p env_home
      old_home = ENV["HOME"]
-      ENV["HOME"] = env_home
      old_curl_home = ENV["CURL_HOME"]
+      old_path = ENV["HOMEBREW_PATH"]
+      ENV["HOME"] = env_home
      ENV["CURL_HOME"] = old_curl_home || old_home
+      ENV["HOMEBREW_PATH"] = nil
      setup_home env_home
+      ENV.clear_sensitive_environment!
      begin
        yield staging
      ensure
        @buildpath = nil
        ENV["HOME"] = old_home
        ENV["CURL_HOME"] = old_curl_home
+        ENV["HOMEBREW_PATH"] = old_path
      end
    end
  end

--- a/Library/Homebrew/global.rb
+++ b/Library/Homebrew/global.rb
@@ -53,7 +53,7 @@ HOMEBREW_PULL_OR_COMMIT_URL_REGEX = %r[https://github\.com/([\w-]+)/([\w-]+)?/(?
 require "compat" unless ARGV.include?("--no-compat") || ENV["HOMEBREW_NO_COMPAT"]
-ORIGINAL_PATHS = ENV["PATH"].split(File::PATH_SEPARATOR).map do |p|
+ORIGINAL_PATHS = ENV["HOMEBREW_PATH"].split(File::PATH_SEPARATOR).map do |p|
  begin
    Pathname.new(p).expand_path
  rescue

--- a/Library/Homebrew/test/diagnostic_spec.rb
+++ b/Library/Homebrew/test/diagnostic_spec.rb
@@ -122,8 +122,9 @@ describe Homebrew::Diagnostic::Checks do
  specify "#check_user_path_3" do
    begin
      sbin = HOMEBREW_PREFIX/"sbin"
-      ENV["PATH"] = "#{HOMEBREW_PREFIX}/bin#{File::PATH_SEPARATOR}" +
+      ENV["HOMEBREW_PATH"] =
-                    ENV["PATH"].gsub(/(?:^|#{Regexp.escape(File::PATH_SEPARATOR)})#{Regexp.escape(sbin)}/, "")
+        "#{HOMEBREW_PREFIX}/bin#{File::PATH_SEPARATOR}" +
+        ENV["HOMEBREW_PATH"].gsub(/(?:^|#{Regexp.escape(File::PATH_SEPARATOR)})#{Regexp.escape(sbin)}/, "")
      (sbin/"something").mkpath
      expect(subject.check_user_path_1).to be nil
@@ -149,7 +150,9 @@ describe Homebrew::Diagnostic::Checks do
      file = "#{path}/foo-config"
      FileUtils.touch file
      FileUtils.chmod 0755, file
-      ENV["PATH"] = "#{path}#{File::PATH_SEPARATOR}#{ENV["PATH"]}"
+      ENV["HOMEBREW_PATH"] =
+        ENV["PATH"] =
+          "#{path}#{File::PATH_SEPARATOR}#{ENV["PATH"]}"
      expect(subject.check_for_config_scripts)
        .to match('"config" scripts exist')

--- a/Library/Homebrew/test/support/helper/spec/shared_context/integration_test.rb
+++ b/Library/Homebrew/test/support/helper/spec/shared_context/integration_test.rb
@@ -72,6 +72,7 @@ RSpec.shared_context "integration test" do
    env.merge!(
      "PATH" => path,
+      "HOMEBREW_PATH" => path,
      "HOMEBREW_BREW_FILE" => HOMEBREW_PREFIX/"bin/brew",
      "HOMEBREW_INTEGRATION_TEST" => command_id_from_args(args),
      "HOMEBREW_TEST_TMPDIR" => TEST_TMPDIR,

--- a/Library/Homebrew/utils.rb
+++ b/Library/Homebrew/utils.rb
@@ -406,8 +406,8 @@ def nostdout
  end
 end
-def paths
+def paths(env_path = ENV["PATH"])
-  @paths ||= ENV["PATH"].split(File::PATH_SEPARATOR).collect do |p|
+  @paths ||= env_path.split(File::PATH_SEPARATOR).collect do |p|
    begin
      File.expand_path(p).chomp("/")
    rescue ArgumentError