Add exclusion list for environment variables (#802)

* Restrict runner ENV access

* Retrieve exclusion list from environment variable

* Apply suggestions from code review

* Fix “the blunder of the century”

https://www.youtube.com/watch?v=vcFBwt1nu2U

* Add warning for GitHub runners

* Update github.js

* Update github.js

---------

Co-authored-by: Helio Machado <[email protected]>

Author: DavidGOrtega

src/cml.js

@@ -421,7 +421,14 @@ class CML {
   }
 
   async startRunner(opts = {}) {
-    return await this.getDriver().startRunner(opts);
+    const env = {};
+    const sensitive = [
+      '_CML_RUNNER_SENSITIVE_ENV',
+      ...process.env._CML_RUNNER_SENSITIVE_ENV.split(':')
+    ];
+    for (const variable in process.env)
+      if (!sensitive.includes(variable)) env[variable] = process.env[variable];
+    return await this.getDriver().startRunner({ ...opts, env });
   }
 
   async registerRunner(opts = {}) {

src/drivers/bitbucket_cloud.js

@@ -166,7 +166,7 @@ class BitbucketCloud {
 
   async startRunner(opts) {
     const { projectPath } = this;
-    const { workdir, name, labels } = opts;
+    const { workdir, name, labels, env } = opts;
 
     winston.warn(
       `Bitbucket runner is working under /tmp folder and not under ${workdir} as expected`
@@ -197,7 +197,7 @@ class BitbucketCloud {
       ${gpu ? '--runtime=nvidia -e NVIDIA_VISIBLE_DEVICES=all' : ''} \
       docker-public.packages.atlassian.com/sox/atlassian/bitbucket-pipelines-runner:1`;
 
-      return spawn(command, { shell: true });
+      return spawn(command, { shell: true, env });
     } catch (err) {
       throw new Error(`Failed preparing runner: ${err.message}`);
     }

src/drivers/github.js

@@ -255,7 +255,11 @@ class Github {
   }
 
   async startRunner(opts) {
-    const { workdir, single, name, labels } = opts;
+    const { workdir, single, name, labels, env } = opts;
+
+    this.warn(
+      'cloud credentials are no longer available on self-hosted runner steps; please use step.env and secrets instead'
+    );
 
     try {
       const runnerCfg = resolve(workdir, '.runner');
@@ -295,7 +299,8 @@ class Github {
       );
 
       return spawn(resolve(workdir, 'run.sh'), {
-        shell: true
+        shell: true,
+        env
       });
     } catch (err) {
       throw new Error(`Failed preparing GitHub runner: ${err.message}`);

src/drivers/gitlab.js

@@ -183,7 +183,8 @@ class Gitlab {
       single,
       labels,
       name,
-      dockerVolumes = []
+      dockerVolumes = [],
+      env
     } = opts;
 
     const gpu = await gpuPresent();
@@ -222,7 +223,7 @@ class Gitlab {
         ${dockerVolumesTpl} \
         ${single ? '--max-builds 1' : ''}`;
 
-      return spawn(command, { shell: true });
+      return spawn(command, { shell: true, env });
     } catch (err) {
       if (err.message === 'Forbidden')
         err.message +=