Remove sprig's env and expandenv functions

Both Helm and ArgoCD remove access to these two due to security implications. It's possible to retrieve the function's pod environmental values. Some of these might be sensitive. See more: https://masterminds.github.io/sprig/os.html argoproj/argo-workflows#5850 https://github.com/helm/helm/blob/e81f6140ddb22bc99a08f7409522a8dbe5338ee3/pkg/engine/funcs.go#L45 Also ran a go fmt. Signed-off-by: Jakub Ciolek <[email protected]>
crossplane-contrib · Feb 5, 2024 · 3be60dc · 3be60dc
1 parent 1fbc444
commit 3be60dc
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/function_maps.go b/function_maps.go
@@ -41,9 +41,15 @@ func GetNewTemplateWithFunctionMaps(delims *v1beta1.Delims) *template.Template {
 		tpl.Funcs(f)
 	}
 	tpl.Funcs(template.FuncMap{
-			"include": initInclude(tpl),
+		"include": initInclude(tpl),
 	})
-	tpl.Funcs(sprig.FuncMap())
+	// Sprig's env and expandenv can lead to information leakage (injected tokens/passwords).
+	// Both Helm and ArgoCD remove these due to security implications.
+	// see: https://masterminds.github.io/sprig/os.html
+	sprigFuncs := sprig.FuncMap()
+	delete(sprigFuncs, "env")
+	delete(sprigFuncs, "expandenv")
+	tpl.Funcs(sprigFuncs)
 
 	return tpl
 }
@@ -103,4 +109,4 @@ func initInclude(t *template.Template) func(string, interface{}) (string, error)
 		return buf.String(), err
 	}
 
-}
+}