Merge pull request from GHSA-pwx5-6wxg-px5h

* fix(secrets): split env injection based on allow_substitution value

* upgrade sdk server and types

Author: ecrupper

executor/linux/build.go

@@ -199,8 +199,12 @@ func (c *client) PlanBuild(ctx context.Context) error {
 
 		_log.AppendData(append(sRaw, "\n"...))
 
-		// add secret to the map
-		c.Secrets[secret.Name] = s
+		// add secret to the appropriate map
+		if s.GetAllowSubstitution() {
+			c.Secrets[secret.Name] = s
+		} else {
+			c.NoSubSecrets[secret.Name] = s
+		}
 	}
 
 	// escape newlines in secrets loaded on build_start
@@ -699,6 +703,7 @@ func loadLazySecrets(c *client, _step *pipeline.Container) error {
 	_log := new(library.Log)
 
 	lazySecrets := make(map[string]*library.Secret)
+	lazyNoSubSecrets := make(map[string]*library.Secret)
 
 	// this requires a small preface and brief description on
 	// how normal secrets make it into a container:
@@ -797,8 +802,12 @@ func loadLazySecrets(c *client, _step *pipeline.Container) error {
 				return err
 			}
 
-			// add secret to the temp map
-			lazySecrets[secret.Name] = s
+			// add secret to the appropriate temp map
+			if s.GetAllowSubstitution() {
+				lazySecrets[secret.Name] = s
+			} else {
+				lazyNoSubSecrets[secret.Name] = s
+			}
 		}
 	}
 
@@ -836,6 +845,13 @@ func loadLazySecrets(c *client, _step *pipeline.Container) error {
 			return err
 		}
 
+		c.Logger.Debug("injecting no-sub lazy loaded secrets")
+		// inject secrets for container
+		err = injectSecrets(tmpStep, lazyNoSubSecrets)
+		if err != nil {
+			return err
+		}
+
 		c.Logger.Debug("merge lazy loaded secrets into container")
 		// merge lazy load secrets into original container
 		err = _step.MergeEnv(tmpStep.Environment)

executor/linux/linux.go

@@ -19,12 +19,13 @@ type (
 	// client manages communication with the pipeline resources.
 	client struct {
 		// https://pkg.go.dev/github.com/sirupsen/logrus#Entry
-		Logger   *logrus.Entry
-		Vela     *vela.Client
-		Runtime  runtime.Engine
-		Secrets  map[string]*library.Secret
-		Hostname string
-		Version  string
+		Logger       *logrus.Entry
+		Vela         *vela.Client
+		Runtime      runtime.Engine
+		Secrets      map[string]*library.Secret
+		NoSubSecrets map[string]*library.Secret
+		Hostname     string
+		Version      string
 
 		// clients for build actions
 		secret *secretSvc
@@ -67,6 +68,7 @@ func Equal(a, b *client) bool {
 		reflect.DeepEqual(a.Vela, b.Vela) &&
 		reflect.DeepEqual(a.Runtime, b.Runtime) &&
 		reflect.DeepEqual(a.Secrets, b.Secrets) &&
+		reflect.DeepEqual(a.NoSubSecrets, b.NoSubSecrets) &&
 		a.Hostname == b.Hostname &&
 		a.Version == b.Version &&
 		reflect.DeepEqual(a.init, b.init) &&
@@ -118,6 +120,9 @@ func New(opts ...Opt) (*client, error) {
 	// instantiate map for non-plugin secrets
 	c.Secrets = make(map[string]*library.Secret)
 
+	// instantiate map for non-substituted secrets
+	c.NoSubSecrets = make(map[string]*library.Secret)
+
 	// instantiate all client services
 	c.secret = &secretSvc{client: c}
 

executor/linux/secret.go

@@ -67,6 +67,13 @@ func (s *secretSvc) create(ctx context.Context, ctn *pipeline.Container) error {
 		return fmt.Errorf("unable to substitute container configuration")
 	}
 
+	logger.Debug("injecting non-substituted secrets")
+	// inject no-substitution secrets for container
+	err = injectSecrets(ctn, s.client.NoSubSecrets)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 

executor/linux/service.go

@@ -55,6 +55,13 @@ func (c *client) CreateService(ctx context.Context, ctn *pipeline.Container) err
 		return fmt.Errorf("unable to substitute container configuration")
 	}
 
+	logger.Debug("injecting non-substituted secrets")
+	// inject no-substitution secrets for container
+	err = injectSecrets(ctn, c.NoSubSecrets)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 

executor/linux/step.go

@@ -65,6 +65,13 @@ func (c *client) CreateStep(ctx context.Context, ctn *pipeline.Container) error
 		return fmt.Errorf("unable to substitute container configuration")
 	}
 
+	logger.Debug("injecting non-substituted secrets")
+	// inject no-substitution secrets for container
+	err = injectSecrets(ctn, c.NoSubSecrets)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 

go.mod

@@ -8,9 +8,9 @@ require (
 	github.com/docker/docker v24.0.9+incompatible
 	github.com/docker/go-units v0.5.0
 	github.com/gin-gonic/gin v1.9.1
-	github.com/go-vela/sdk-go v0.23.1
-	github.com/go-vela/server v0.23.1
-	github.com/go-vela/types v0.23.1
+	github.com/go-vela/sdk-go v0.23.2-0.20240312184917-e3a34719badf
+	github.com/go-vela/server v0.23.2-0.20240312184244-a645c822da1d
+	github.com/go-vela/types v0.23.2-0.20240312183632-2e046fceb8fe
 	github.com/golang-jwt/jwt/v5 v5.2.0
 	github.com/google/go-cmp v0.6.0
 	github.com/joho/godotenv v1.5.1

go.sum

@@ -94,12 +94,12 @@ github.com/go-playground/validator/v10 v10.14.0 h1:vgvQWe3XCz3gIeFDm/HnTIbj6UGmg
 github.com/go-playground/validator/v10 v10.14.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
-github.com/go-vela/sdk-go v0.23.1 h1:4KxfAF1vR8DvtRraBoWQDIm8f8zxXP806lJR3MmTlC8=
-github.com/go-vela/sdk-go v0.23.1/go.mod h1:zDsZIePtBdpCZwmwAWqGWuIch/oGliX1zd51PARTHBk=
-github.com/go-vela/server v0.23.1 h1:Y+mGfB79RjIgQ3IEkPjGB6IneB2So3ZXE4XKY+Z02xc=
-github.com/go-vela/server v0.23.1/go.mod h1:B+A5lRPOlAVYyXBMGCAJKhPQOlfJuWl3qaRcvhsUqSA=
-github.com/go-vela/types v0.23.1 h1:st4BeDcYVyaaFqblU1YroztNvmYLBgmfZpWq0En0Sg0=
-github.com/go-vela/types v0.23.1/go.mod h1:AAqgxIw1aRBgPkE/5juGuiwh/JZuOtL8fcPaEkjFWwQ=
+github.com/go-vela/sdk-go v0.23.2-0.20240312184917-e3a34719badf h1:8Oka4tMHOdy/DsInyg7c/XPY5wqWWE7Yvzx/u67WBuw=
+github.com/go-vela/sdk-go v0.23.2-0.20240312184917-e3a34719badf/go.mod h1:XjrVfIDw2SZDFBtJ5vqVse/GFj89MF542N20P8U5a3I=
+github.com/go-vela/server v0.23.2-0.20240312184244-a645c822da1d h1:VynpkAIMt3KTh9BaICQdpu6c76/hHU3d4/Ab44bmFew=
+github.com/go-vela/server v0.23.2-0.20240312184244-a645c822da1d/go.mod h1:EsDVTqQHQ9snXG2DhUl9uo4+Cf/b9nMiESCkxSjmP90=
+github.com/go-vela/types v0.23.2-0.20240312183632-2e046fceb8fe h1:Fb28yre0nrX1GNeyPN8i8rruTlW8MnPVF3Fo5xTuOkg=
+github.com/go-vela/types v0.23.2-0.20240312183632-2e046fceb8fe/go.mod h1:AAqgxIw1aRBgPkE/5juGuiwh/JZuOtL8fcPaEkjFWwQ=
 github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=