diff --git a/releasenotes/notes/zuul-ansible-environment-secrets-983e8ced908b294d.yaml b/releasenotes/notes/zuul-ansible-environment-secrets-983e8ced908b294d.yaml new file mode 100644 index 0000000000..8cf6ef8e42 --- /dev/null +++ b/releasenotes/notes/zuul-ansible-environment-secrets-983e8ced908b294d.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Zuul no longer adds environment variables starting with the ``ZUUL_`` prefix + to ansibles environment which could result in secrets being exposed. diff --git a/tests/fixtures/config/zuul-environment-filter/git/common-config/playbooks/zuul-environment-filter.yaml b/tests/fixtures/config/zuul-environment-filter/git/common-config/playbooks/zuul-environment-filter.yaml new file mode 100644 index 0000000000..04ffb7815a --- /dev/null +++ b/tests/fixtures/config/zuul-environment-filter/git/common-config/playbooks/zuul-environment-filter.yaml @@ -0,0 +1,10 @@ +- hosts: all + tasks: + - debug: + var: lookup('env', 'ZUUL_TEST_VAR') + - assert: + that: lookup('env', 'ZUUL_TEST_VAR') == "" + - debug: + var: lookup('env', 'TEST_VAR') + - assert: + that: lookup('env', 'TEST_VAR') == "not-empty" diff --git a/tests/fixtures/config/zuul-environment-filter/git/common-config/zuul.yaml b/tests/fixtures/config/zuul-environment-filter/git/common-config/zuul.yaml new file mode 100644 index 0000000000..9097c596e4 --- /dev/null +++ b/tests/fixtures/config/zuul-environment-filter/git/common-config/zuul.yaml @@ -0,0 +1,21 @@ +- pipeline: + name: promote + manager: supercedent + post-review: true + trigger: + gerrit: + - event: change-merged + +- job: + name: zuul-environment-filter + parent: null + run: playbooks/zuul-environment-filter.yaml + nodeset: + nodes: + - name: ubuntu-xenial + label: ubuntu-xenial + +- project: + promote: + jobs: + - zuul-environment-filter diff --git a/tests/fixtures/config/zuul-environment-filter/main.yaml b/tests/fixtures/config/zuul-environment-filter/main.yaml new file mode 100644 index 0000000000..9d01f542f9 --- /dev/null +++ b/tests/fixtures/config/zuul-environment-filter/main.yaml @@ -0,0 +1,6 @@ +- tenant: + name: tenant-one + source: + gerrit: + config-projects: + - common-config diff --git a/tests/unit/test_executor.py b/tests/unit/test_executor.py index 45cb41a13a..ef28ad6545 100644 --- a/tests/unit/test_executor.py +++ b/tests/unit/test_executor.py @@ -816,6 +816,21 @@ class TestExecutorFacts(AnsibleZuulTestCase): self.assertEqual(18, len(date_time)) +class TestExecutorEnvironment(AnsibleZuulTestCase): + tenant_config_file = 'config/zuul-environment-filter/main.yaml' + + @mock.patch.dict('os.environ', {'ZUUL_TEST_VAR': 'some-value', + 'TEST_VAR': 'not-empty'}) + def test_zuul_environment_filter(self): + A = self.fake_gerrit.addFakeChange('common-config', 'master', 'A') + self.fake_gerrit.addEvent(A.getChangeMergedEvent()) + self.waitUntilSettled() + + self.assertEqual( + self.getJobFromHistory('zuul-environment-filter').result, + 'SUCCESS') + + class TestExecutorStart(ZuulTestCase): tenant_config_file = 'config/single-tenant/main.yaml' diff --git a/zuul/executor/server.py b/zuul/executor/server.py index 65690a5a61..ac137a77fb 100644 --- a/zuul/executor/server.py +++ b/zuul/executor/server.py @@ -2117,7 +2117,9 @@ class AnsibleJob(object): def runAnsible(self, cmd, timeout, playbook, ansible_version, wrapped=True, cleanup=False): config_file = playbook.ansible_config - env_copy = os.environ.copy() + env_copy = {key: value + for key, value in os.environ.copy().items() + if not key.startswith("ZUUL_")} env_copy.update(self.ssh_agent.env) if self.ara_callbacks: env_copy['ARA_LOG_CONFIG'] = self.jobdir.logging_json