Skip to content

Disallow invalid identifiers as environment keys#53

Merged
sambostock merged 2 commits intomainfrom
validate-env-var-names
Jul 10, 2023
Merged

Disallow invalid identifiers as environment keys#53
sambostock merged 2 commits intomainfrom
validate-env-var-names

Conversation

@sambostock
Copy link
Contributor

@sambostock sambostock commented Feb 18, 2023

Since the keys under environment will end up as the identifiers in export lines, we should ensure they are valid identifiers.

export not valid=value
export worse; echo dangerous; _='uh oh'

@sambostock sambostock requested a review from burke as a code owner February 18, 2023 03:59
sambostock
sambostock commented Feb 18, 2023
View reviewed changes
Copy link
Contributor Author

@sambostock sambostock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I included changes to the fixture names, as I felt it made it clearer what was going on.

env.go
Comment on lines +32 to +37
// Reject keys that would be invalid environment variable identifiers
if !validIdentifierPattern.MatchString(key) {
err := fmt.Errorf("invalid identifier as key in environment: %q", key)

return nil, err
}
Copy link
Contributor Author

@sambostock sambostock Feb 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the comment below, we seem to ignore when the values don't convert to strings properly, rather than return an error. IMO we should be loud about these failures (I think non-strings should also be errors, or at least print something to stderr), however if we really think it's better to silently continue, then we could change this to "only export keys that are valid identifiers" (and simply ignore invalid ones).

Separately, I may open a PR to add said stderr message (since making it an error would be a breaking change that could break production deployments).

env.go
var errNoEnv = errors.New("environment is not set in ejson")
var errEnvNotMap = errors.New("environment is not a map[string]interface{}")

var validIdentifierPattern = regexp.MustCompile(`\A[a-zA-Z_][a-zA-Z0-9_]*\z`)
Copy link
Contributor Author

@sambostock sambostock Feb 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would also work, and would be shorter

Suggested change
var validIdentifierPattern = regexp.MustCompile(`\A[a-zA-Z_][a-zA-Z0-9_]*\z`)
var validIdentifierPattern = regexp.MustCompile(`\A[a-zA-Z_]\w*\z`)

but after thinking about it, I think the long form is clearer, as it explicitly shows how the first character can't be a digit, but that otherwise it's all the same.

@sambostock
Use descriptive test fixture names
04e699c
@sambostock
Disallow invalid identifiers as environment keys
8de5507 
Since the keys under `environment` will end up as the identifiers in
`export` lines, we should ensure they are valid identifiers.

    export not valid=value
    export worse; echo dangerous; _='uh oh'
@sambostock sambostock force-pushed the validate-env-var-names branch from 3c6e08d to 8de5507 Compare July 10, 2023 19:48
@sambostock sambostock merged commit 4c2ebb7 into main Jul 10, 2023
@sambostock sambostock deleted the validate-env-var-names branch July 10, 2023 19:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@burke burke burke approved these changes

@Abdulwahaab710 Abdulwahaab710 Awaiting requested review from Abdulwahaab710

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sambostock @burke