From 1b0224398aa3d090f6b38816f6caf3077c374c0f Mon Sep 17 00:00:00 2001 From: Aydin Hassan Date: Sun, 10 Mar 2024 11:11:33 +0100 Subject: [PATCH] Don't inherit env otherwise we leak all secrets --- src/ExerciseRunner/CgiRunner.php | 17 ++++++++++++++++- src/ExerciseRunner/CliRunner.php | 17 ++++++++++++++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/src/ExerciseRunner/CgiRunner.php b/src/ExerciseRunner/CgiRunner.php index 5fbfc710..e29e3348 100644 --- a/src/ExerciseRunner/CgiRunner.php +++ b/src/ExerciseRunner/CgiRunner.php @@ -198,7 +198,8 @@ private function executePhpFile(string $fileName, RequestInterface $request, str */ private function getProcess(string $fileName, RequestInterface $request): Process { - $env = [ + $env = $this->getDefaultEnv(); + $env += [ 'REQUEST_METHOD' => $request->getMethod(), 'SCRIPT_FILENAME' => $fileName, 'REDIRECT_STATUS' => 302, @@ -224,6 +225,20 @@ private function getProcess(string $fileName, RequestInterface $request): Proces return Process::fromShellCommandline($cmd, null, $env, null, 10); } + /** + * We need to reset env entirely, because Symfony inherits it. We do that by setting all + * the current env vars to false + * + * @return array + */ + private function getDefaultEnv(): array + { + $env = array_map(fn () => false, $_ENV); + $env + array_map(fn () => false, $_SERVER); + + return $env; + } + /** * Verifies a solution by invoking PHP via the `php-cgi` binary, populating all the super globals with * the information from the request objects returned from the exercise. The exercise can return multiple diff --git a/src/ExerciseRunner/CliRunner.php b/src/ExerciseRunner/CliRunner.php index fa204766..4750405e 100644 --- a/src/ExerciseRunner/CliRunner.php +++ b/src/ExerciseRunner/CliRunner.php @@ -137,12 +137,27 @@ private function getPhpProcess(string $fileName, ArrayObject $args): Process return new Process( $args->prepend($fileName)->prepend($this->phpLocation)->getArrayCopy(), dirname($fileName), - ['XDEBUG_MODE' => 'off'], + $this->getDefaultEnv() + ['XDEBUG_MODE' => 'off'], null, 10 ); } + /** + * We need to reset env entirely, because Symfony inherits it. We do that by setting all + * the current env vars to false + * + * @return array + */ + private function getDefaultEnv(): array + { + $env = array_map(fn () => false, $_ENV); + $env + array_map(fn () => false, $_SERVER); + + return $env; + } + + /** * Verifies a solution by invoking PHP from the CLI passing the arguments gathered from the exercise * as command line arguments to PHP.