Skip to content

Instantly share code, notes, and snippets.

@lox
Last active March 14, 2023 22:20
Show Gist options
  • Save lox/c7a3b44970201b716e600f3538a6e351 to your computer and use it in GitHub Desktop.
Save lox/c7a3b44970201b716e600f3538a6e351 to your computer and use it in GitHub Desktop.
A Buildkite pre-bootstrap hook that protects against attacks via known dangerous environment variables
#!/bin/bash
set -euo pipefail
# Buildkite pre-bootstrap hook that fails a build if there are any
# dangerous environment variables set.
blocklist=(
# General Linux
"PATH" # Executable search path
"LD_PRELOAD" # Preloaded shared libraries
"LD_LIBRARY_PATH" # Custom shared library search path
"TZ" # Timezone
# Locale
"LANG" # Default locale
"LC_ALL" # Overrides all other LC_* variables
"LC_CTYPE" # Character classification and encoding
"LC_COLLATE" # String collation order
"LC_MESSAGES" # Localization of messages
"LC_MONETARY" # Currency formatting
"LC_NUMERIC" # Numeric formatting
"LC_TIME" # Date and time formatting
# User and group
"UID" # User ID
"GID" # Group ID
"USER" # Username
"HOME" # Home directory
)
is_blocked() {
local name="$1"
for env in "${blocklist[@]}"; do
if [ "$env" = "$name" ]; then
return 0
fi
done
return 1
}
while read -r var; do
if is_blocked "${var%%=*}"; then
echo "ERROR: Blocked environment variable: $var"
exit 1
fi
done < "$BUILDKITE_ENV_FILE"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment