You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We pass a lot of bugbot's config into the web services via environment variables, including potentially in the future secrets/tokens. When a runner calls spawn() to start electron-fiddle, we should sanitize the environment variables so that none of that is visible to user-supplied test gists.
The text was updated successfully, but these errors were encountered:
The issue is that just sanitizing the env on the spawned process isn't enough to prevent the spawned process reading that env. E.g. ps e -ww -p {pid} lets you read env for any other pid.
The env of the runner can't contain any secrets at all or the runner needs to run the apps in an even more isolated environment
We pass a lot of bugbot's config into the web services via environment variables, including potentially in the future secrets/tokens. When a runner calls
spawn()
to start electron-fiddle, we should sanitize the environment variables so that none of that is visible to user-supplied test gists.The text was updated successfully, but these errors were encountered: