dbx12 / envmanager Goto Github PK
View Code? Open in Web Editor NEWA tool to manage your shell environment using secure storage for your secrets.
License: GNU General Public License v3.0
A tool to manage your shell environment using secure storage for your secrets.
License: GNU General Public License v3.0
Only affects password storage pass
E
is)Command 'gpg:' not found, did you mean: command 'gpgv' from deb gpgv (2.2.19-3ubuntu2.2)
command 'gpg2' from deb gnupg2 (2.2.19-3ubuntu2.2)
command 'gpg1' from deb gnupg1 (1.4.23-1)
command 'gpg' from deb gpg (2.2.19-3ubuntu2.2)Try: sudo apt install <deb name>
Apparently the library github.com/gopasspw/gopass uses the gpg binary internally. And this binary outputs a note (gpg: Note: secret key <fingerprint> expired at Wed 31 Aug 2022 09:43:32 AM CEST
) if an expired key is used for decryption. That output on stderr is not caught by the library and emitted on the stderr of envManager along with the export statements. The wrapper takes this output on stderr and eval
s it to execute the export statements.
eval
on the output of the envManager binary can pose a security risk. Potential scenario is a targeted supply chain attack on this project by a library which outputs malicious code on stderr with the intent of having envManager eval
-ing it.Actual behavior
If two profiles define the same environment variable and both profiles are loaded, the last profile wins and overwrites the earlier loaded environment variables.
Expected behavior
An error message / warning is shown when one profile overwrites a variable set by another profile during the same load command.
Additional notes
envManager load profA profB
)How to to reproduce
Config:
storage:
pass:
type: pass
profiles:
profA:
storage: pass
path: credA
constEnv:
CONST_ENV: i-am-from-profile-A
profB:
storage: pass
path: credB
constEnv:
CONST_ENV: i-am-from-profile-B
directoryMapping:
/tmp:
- profA
- profB
envManager load profA profB
and you see CONST_ENV=i-am-from-profile-B
. Swap the profile names and you see the value of profile AenvManager load
while in /tmp
and see again the value from profile BA declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.