Skip to content

fix: add secret survey variable on opentofu task issue #2322 #3083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix: add secret survey variable on opentofu task issue #2322 #3083

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions services/tasks/LocalJob.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,13 +67,23 @@ func (t *LocalJob) SetCommit(hash, message string) {
func (t *LocalJob) getEnvironmentExtraVars(username string, incomingVersion *string) (extraVars map[string]any, err error) {

extraVars = make(map[string]any)
extraSecretVars := make(map[string]any)

if t.Environment.JSON != "" {
err = json.Unmarshal([]byte(t.Environment.JSON), &extraVars)
if err != nil {
return
}
}
if t.Secret != "" {
err = json.Unmarshal([]byte(t.Secret), &extraSecretVars)
if err != nil {
return
}
Comment on lines +79 to +82
Copy link
Preview

Copilot AI Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The condition t.Secret != "" may not handle the case where t.Secret is "{}" (empty JSON object). Consider checking for both empty string and empty JSON object, or use a more robust validation method.

Suggested change
err = json.Unmarshal([]byte(t.Secret), &extraSecretVars)
if err != nil {
return
}
var tempSecretVars map[string]any
err = json.Unmarshal([]byte(t.Secret), &tempSecretVars)
if err != nil {
return
}
if len(tempSecretVars) > 0 {
extraSecretVars = tempSecretVars
}

Copilot uses AI. Check for mistakes.

}
Copy link
Preview

Copilot AI Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting t.Secret = "{}" may not be sufficient to clear sensitive data from memory. The original string containing secrets may still exist in memory. Consider using a more secure approach like overwriting the memory or ensuring the original secret data is properly cleared.

Suggested change
}
}
// Securely clear the sensitive data in t.Secret
if len(t.Secret) > 0 {
secretBytes := []byte(t.Secret)
for i := range secretBytes {
secretBytes[i] = 0
}
}

Copilot uses AI. Check for mistakes.

t.Secret = "{}"

maps.Copy(extraVars, extraSecretVars)
Copy link
Preview

Copilot AI Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Secret variables are being copied into extraVars which may be used elsewhere in the application. Consider whether these secret values should be masked or handled with additional security measures when stored in the shared extraVars map.

Suggested change
maps.Copy(extraVars, extraSecretVars)
for key, value := range extraSecretVars {
extraVars[key] = maskSensitiveValue(value)
}

Copilot uses AI. Check for mistakes.


taskDetails := make(map[string]any)

Expand Down
Loading