Module: EnvSensitive Private

Extended by:

T::Helpers

Included in:

ENV, EnvActivation

Defined in:

extend/ENV.rbi,
extend/ENV/sensitive.rb

This module is part of a private API. This module may only be used in the Homebrew/brew repository. Third parties should avoid using this module if possible, as it may be removed or changed without warning.

Constant Summary

DEFERRED_PLACEHOLDER_PREFIX =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

bin/brew re-execs with only HOMEBREW_* variables (plus a fixed non-secret allowlist) in the environment, so every secret reaching formula/cask evaluation is HOMEBREW_*. These markers wrap a deferred secret name interpolated into the DSL in place of the real value; the real value is swapped back in at download time by expand_deferred_environment.

"{{HOMEBREW_DEFERRED_ENV:"

DEFERRED_PLACEHOLDER_SUFFIX =

"}}"

Instance Method Summary

• #clear_sensitive_environment!(except: [], defer: false, &block) ⇒ T.untyped private
• #clear_sensitive_environment_for_eval!(&block) ⇒ T.untyped private
• #expand_deferred_environment(value) ⇒ String private

  Only the download path (a URL's header:/specs) calls this, so a masked secret is resolved to its real value solely when fetching, never elsewhere in the DSL.

• #sensitive?(key) ⇒ Boolean private
• #sensitive_environment ⇒ Hash{String => String} private

Instance Method Details

#clear_sensitive_environment!(except: [], defer: false, &block) ⇒ T.untyped

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• except (Array<String>) (defaults to: [])
• defer (Boolean) (defaults to: false)
• block (T.proc.returns(T.untyped), nil)

Returns:

• (T.untyped)

# File 'extend/ENV/sensitive.rb', line 36

def clear_sensitive_environment!(except: [], defer: false, &block)
  unless block
    each_key do |key|
      next unless sensitive?(key)
      next if except.include?(key)

      if defer
        self[key] = "#{DEFERRED_PLACEHOLDER_PREFIX}#{key}#{DEFERRED_PLACEHOLDER_SUFFIX}"
      else
        delete key
      end
    end
    return
  end

  old_env = to_hash.dup
  begin
    clear_sensitive_environment!(except:, defer:)
    yield
  ensure
    replace(old_env)
  end
end

#clear_sensitive_environment_for_eval!(&block) ⇒ T.untyped

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• block (T.proc.returns(T.untyped))

Returns:

• (T.untyped)

# File 'extend/ENV/sensitive.rb', line 61

def clear_sensitive_environment_for_eval!(&block)
  clear_sensitive_environment!(except: ["HOMEBREW_GITHUB_API_TOKEN"], defer: true, &block)
end

#expand_deferred_environment(value) ⇒ String

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Only the download path (a URL's header:/specs) calls this, so a masked secret is resolved to its real value solely when fetching, never elsewhere in the DSL.

Parameters:

• value (String)

Returns:

• (String)

# File 'extend/ENV/sensitive.rb', line 69

def expand_deferred_environment(value)
  return value unless value.include?(DEFERRED_PLACEHOLDER_PREFIX)

  prefix = Regexp.escape(DEFERRED_PLACEHOLDER_PREFIX)
  suffix = Regexp.escape(DEFERRED_PLACEHOLDER_SUFFIX)
  value.gsub(/#{prefix}(HOMEBREW_\w+)#{suffix}/) do
    name = Regexp.last_match(1)
    name ? fetch(name, "") : ""
  end
end

#sensitive?(key) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• key (String, Symbol)

Returns:

• (Boolean)

# File 'extend/ENV/sensitive.rb', line 20

def sensitive?(key)
  key.match?(/(cookie|key|token|password|passphrase|auth)/i)
end

#sensitive_environment ⇒ Hash{String => String}

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Hash{String => String})

# File 'extend/ENV/sensitive.rb', line 25

def sensitive_environment
  select { |key, _| sensitive?(key) }
end