feat: split trustLevel into separate options (#9388)

Removes trustLevel and replaces it with 3 other options instead. No longer necessary to set anything additional is configuring `allowedPostUpgradeCommands`

BREAKING CHANGE: `trustLevel` is no longer supported and instead broken into `allowCustomCrateRegistries` , `allowScripts` , and `exposeAllEnv`.

docs/usage/self-hosted-configuration.md

@@ -9,6 +9,8 @@ The configuration options listed in this document are applicable to self-hosted
 
 Please also see [Self-Hosted Experimental Options](./self-hosted-experimental.md).
 
+## allowCustomCrateRegistries
+
 ## allowPostUpgradeCommandTemplating
 
 Set to true to allow templating of dependency level post-upgrade commands.
@@ -52,6 +54,8 @@ npm ci --ignore-scripts
 npx ng update @angular/core --from=10.0.0 --to=11.0.0 --migrate-only --allow-dirty --force
 ```
 
+## allowScripts
+
 ## allowedPostUpgradeCommands
 
 A list of regular expressions that determine which commands in `postUpgradeTasks` are allowed to be executed.
@@ -186,6 +190,13 @@ e.g.
 
 ## endpoint
 
+## exposeAllEnv
+
+By default, Renovate will only pass a limited set of environment variables to package managers.
+Potentially, there could be leaks of confidential data if a script you don't trust enumerates all values in env, so set this to true only if you trust the repositories which the bot runs against.
+
+Setting this to true will also allow for variable substitution in `.npmrc` files.
+
 ## force
 
 This object is used as a "force override" when you need to make sure certain configuration overrides whatever is configured in the repository.
@@ -375,13 +386,4 @@ This is currently applicable to `npm` and `lerna`/`npm` only, and only used in c
 
 ## token
 
-## trustLevel
-
-Setting trustLevel to `"high"` can make sense in many self-hosted cases where the bot operator trusts the content in each repository.
-
-Setting trustLevel=high means:
-
-- Child processes are run with full access to `env`
-- `.npmrc` files can have environment variable substitution performed
-
 ## username

lib/config/__snapshots__/migration.spec.ts.snap

@@ -78,6 +78,8 @@ Array [
 exports[`config/migration migrateConfig(config, parentConfig) migrates config 1`] = `
 Object {
   "additionalBranchPrefix": "{{parentDir}}-",
+  "allowCustomCrateRegistries": true,
+  "allowScripts": true,
   "autodiscover": true,
   "automerge": false,
   "automergeType": "branch",
@@ -94,6 +96,7 @@ Object {
   "dependencyDashboard": true,
   "dependencyDashboardTitle": "foo",
   "enabled": true,
+  "exposeAllEnv": true,
   "extends": Array [
     ":automergeBranch",
     "config:js-app",
@@ -109,8 +112,8 @@ Object {
   "includeForks": true,
   "lockFileMaintenance": Object {
     "automerge": true,
+    "exposeAllEnv": false,
     "schedule": "before 5am",
-    "trustLevel": "low",
   },
   "major": Object {
     "automerge": false,
@@ -243,7 +246,6 @@ Object {
   "travis": Object {
     "enabled": true,
   },
-  "trustLevel": "high",
 }
 `;
 

lib/config/admin.ts

@@ -4,15 +4,17 @@ let adminConfig: RepoAdminConfig = {};
 
 // TODO: once admin config work is complete, add a test to make sure this list includes all options with admin=true
 export const repoAdminOptions = [
+  'allowCustomCrateRegistries',
   'allowPostUpgradeCommandTemplating',
+  'allowScripts',
   'allowedPostUpgradeCommands',
   'customEnvVariables',
   'dockerChildPrefix',
   'dockerImagePrefix',
   'dockerUser',
   'dryRun',
+  'exposeAllEnv',
   'privateKey',
-  'trustLevel',
 ];
 
 export function setAdminConfig(config: RenovateConfig = {}): void {

lib/config/definitions.ts

@@ -473,17 +473,33 @@ const options: RenovateOptions[] = [
     default: false,
   },
   {
-    name: 'trustLevel',
+    name: 'exposeAllEnv',
     description:
-      'Set this to "high" if the bot should trust the repository owners/contents.',
+      'Configure this to true to allow passing of all env variables to package managers.',
     admin: true,
-    type: 'string',
-    default: 'low',
+    type: 'boolean',
+    default: false,
+  },
+  {
+    name: 'allowScripts',
+    description:
+      'Configure this to true if repositories are allowed to run install scripts.',
+    admin: true,
+    type: 'boolean',
+    default: false,
+  },
+  {
+    name: 'allowCustomCrateRegistries',
+    description:
+      'Configure this to true if custom crate registries are allowed.',
+    admin: true,
+    type: 'boolean',
+    default: false,
   },
   {
     name: 'ignoreScripts',
     description:
-      'Configure this to true if trustLevel is high but you wish to skip running scripts when updating lock files.',
+      'Configure this to true if allowScripts=true but you wish to skip running scripts when updating lock files.',
     type: 'boolean',
     default: false,
   },

lib/config/migration.spec.ts

@@ -56,6 +56,7 @@ describe(getName(__filename), () => {
         masterIssueTitle: 'foo',
         gomodTidy: true,
         upgradeInRange: true,
+        trustLevel: 'high',
         automergeType: 'branch-push',
         branchName:
           '{{{branchPrefix}}}{{{managerBranchPrefix}}}{{{branchTopic}}}{{{baseDir}}}',

lib/config/migration.ts

@@ -191,11 +191,14 @@ export function migrateConfig(
           migratedConfig.rebaseWhen = 'never';
         }
       } else if (key === 'exposeEnv') {
+        migratedConfig.exposeAllEnv = val;
         delete migratedConfig.exposeEnv;
-        if (val === true) {
-          migratedConfig.trustLevel = 'high';
-        } else if (val === false) {
-          migratedConfig.trustLevel = 'low';
+      } else if (key === 'trustLevel') {
+        delete migratedConfig.trustLevel;
+        if (val === 'high') {
+          migratedConfig.allowCustomCrateRegistries ??= true;
+          migratedConfig.allowScripts ??= true;
+          migratedConfig.exposeAllEnv ??= true;
         }
       } else if (
         key === 'branchName' &&

lib/config/types.ts

@@ -83,15 +83,17 @@ export interface GlobalOnlyConfig {
 // Config options used within the repository worker, but not user configurable
 // The below should contain config options where admin=true
 export interface RepoAdminConfig {
+  allowCustomCrateRegistries?: boolean;
   allowPostUpgradeCommandTemplating?: boolean;
+  allowScripts?: boolean;
   allowedPostUpgradeCommands?: string[];
   customEnvVariables?: Record<string, string>;
   dockerChildPrefix?: string;
   dockerImagePrefix?: string;
   dockerUser?: string;
   dryRun?: boolean;
+  exposeAllEnv?: boolean;
   privateKey?: string | Buffer;
-  trustLevel?: 'low' | 'high';
 }
 
 export interface LegacyAdminConfig {

lib/datasource/crate/__snapshots__/index.spec.ts.snap

@@ -331,7 +331,7 @@ Array [
 ]
 `;
 
-exports[`datasource/crate/index getReleases refuses to clone if trustLevel is not high 1`] = `null`;
+exports[`datasource/crate/index getReleases refuses to clone if allowCustomCrateRegistries is not true 1`] = `null`;
 
 exports[`datasource/crate/index getReleases returns null for 404 1`] = `
 Array [

lib/datasource/crate/index.spec.ts

@@ -225,7 +225,7 @@ describe(getName(__filename), () => {
       expect(res).toBeDefined();
       expect(httpMock.getTrace()).toMatchSnapshot();
     });
-    it('refuses to clone if trustLevel is not high', async () => {
+    it('refuses to clone if allowCustomCrateRegistries is not true', async () => {
       const { mockClone } = setupGitMocks();
 
       const url = 'https://dl.cloudsmith.io/basic/myorg/myrepo/cargo/index.git';
@@ -240,7 +240,7 @@ describe(getName(__filename), () => {
     });
     it('clones cloudsmith private registry', async () => {
       const { mockClone } = setupGitMocks();
-      setAdminConfig({ trustLevel: 'high' });
+      setAdminConfig({ allowCustomCrateRegistries: true });
       const url = 'https://dl.cloudsmith.io/basic/myorg/myrepo/cargo/index.git';
       const res = await getPkgReleases({
         datasource,
@@ -254,7 +254,7 @@ describe(getName(__filename), () => {
     });
     it('clones other private registry', async () => {
       const { mockClone } = setupGitMocks();
-      setAdminConfig({ trustLevel: 'high' });
+      setAdminConfig({ allowCustomCrateRegistries: true });
       const url = 'https://github.com/mcorbin/testregistry';
       const res = await getPkgReleases({
         datasource,
@@ -268,7 +268,7 @@ describe(getName(__filename), () => {
     });
     it('clones once then reuses the cache', async () => {
       const { mockClone } = setupGitMocks();
-      setAdminConfig({ trustLevel: 'high' });
+      setAdminConfig({ allowCustomCrateRegistries: true });
       const url = 'https://github.com/mcorbin/othertestregistry';
       await getPkgReleases({
         datasource,
@@ -284,7 +284,7 @@ describe(getName(__filename), () => {
     });
     it('guards against race conditions while cloning', async () => {
       const { mockClone } = setupGitMocks(250);
-      setAdminConfig({ trustLevel: 'high' });
+      setAdminConfig({ allowCustomCrateRegistries: true });
       const url = 'https://github.com/mcorbin/othertestregistry';
 
       await Promise.all([
@@ -310,7 +310,7 @@ describe(getName(__filename), () => {
     });
     it('returns null when git clone fails', async () => {
       setupErrorGitMock();
-      setAdminConfig({ trustLevel: 'high' });
+      setAdminConfig({ allowCustomCrateRegistries: true });
       const url = 'https://github.com/mcorbin/othertestregistry';
 
       const result = await getPkgReleases({

lib/datasource/crate/index.ts

@@ -163,9 +163,9 @@ async function fetchRegistryInfo(
   };
 
   if (flavor !== RegistryFlavor.CratesIo) {
-    if (getAdminConfig().trustLevel !== 'high') {
+    if (!getAdminConfig().allowCustomCrateRegistries) {
       logger.warn(
-        'crate datasource: trustLevel=high is required for registries other than crates.io, bailing out'
+        'crate datasource: allowCustomCrateRegistries=true is required for registries other than crates.io, bailing out'
       );
       return null;
     }

lib/datasource/npm/index.spec.ts

@@ -359,7 +359,7 @@ describe(getName(__filename), () => {
       .reply(200, npmResponse);
     process.env.REGISTRY = 'https://registry.from-env.com';
     process.env.RENOVATE_CACHE_NPM_MINUTES = '15';
-    setAdminConfig({ trustLevel: 'high' });
+    setAdminConfig({ exposeAllEnv: true });
     // eslint-disable-next-line no-template-curly-in-string
     const npmrc = 'registry=${REGISTRY}';
     const res = await getPkgReleases({ datasource, depName: 'foobar', npmrc });
@@ -368,7 +368,7 @@ describe(getName(__filename), () => {
   });
 
   it('should throw error if necessary env var is not present', () => {
-    setAdminConfig({ trustLevel: 'high' });
+    setAdminConfig({ exposeAllEnv: true });
     // eslint-disable-next-line no-template-curly-in-string
     expect(() => setNpmrc('registry=${REGISTRY_MISSING}')).toThrow(
       Error('env-replace')

lib/datasource/npm/npmrc.spec.ts

@@ -38,7 +38,7 @@ describe(getName(__filename), () => {
   });
 
   it('sanitize _authtoken with high trust', () => {
-    setAdminConfig({ trustLevel: 'high' });
+    setAdminConfig({ exposeAllEnv: true });
     process.env.TEST_TOKEN = 'test';
     setNpmrc(
       // eslint-disable-next-line no-template-curly-in-string

lib/datasource/npm/npmrc.ts

@@ -61,13 +61,13 @@ export function setNpmrc(input?: string): void {
     npmrcRaw = input;
     logger.debug('Setting npmrc');
     npmrc = ini.parse(input.replace(/\\n/g, '\n'));
-    const { trustLevel } = getAdminConfig();
+    const { exposeAllEnv } = getAdminConfig();
     for (const [key, val] of Object.entries(npmrc)) {
-      if (trustLevel !== 'high') {
+      if (!exposeAllEnv) {
         sanitize(key, val);
       }
       if (
-        trustLevel !== 'high' &&
+        !exposeAllEnv &&
         key.endsWith('registry') &&
         val &&
         val.includes('localhost')
@@ -80,7 +80,7 @@ export function setNpmrc(input?: string): void {
         return;
       }
     }
-    if (trustLevel !== 'high') {
+    if (!exposeAllEnv) {
       return;
     }
     for (const key of Object.keys(npmrc)) {

lib/manager/composer/artifacts.spec.ts

@@ -30,6 +30,7 @@ const config = {
   localDir: join('/tmp/github/some/repo'),
   cacheDir: join('/tmp/renovate/cache'),
   composerIgnorePlatformReqs: true,
+  ignoreScripts: false,
 };
 
 const repoStatus = partial<StatusResult>({
@@ -46,7 +47,7 @@ describe('.updateArtifacts()', () => {
     await setUtilConfig(config);
     docker.resetPrefetchedImages();
     hostRules.clear();
-    setAdminConfig();
+    setAdminConfig({ allowScripts: false });
   });
   it('returns if no composer.lock found', async () => {
     expect(
@@ -63,7 +64,7 @@ describe('.updateArtifacts()', () => {
     const execSnapshots = mockExecAll(exec);
     fs.readLocalFile.mockReturnValueOnce('Current composer.lock' as any);
     git.getRepoStatus.mockResolvedValue(repoStatus);
-    setAdminConfig({ trustLevel: 'high' });
+    setAdminConfig({ allowScripts: true });
     expect(
       await composer.updateArtifacts({
         packageFileName: 'composer.json',

lib/manager/composer/artifacts.ts

@@ -151,7 +151,7 @@ export async function updateArtifacts({
       args += ' --ignore-platform-reqs';
     }
     args += ' --no-ansi --no-interaction';
-    if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) {
+    if (!getAdminConfig().allowScripts || config.ignoreScripts) {
       args += ' --no-scripts --no-autoloader';
     }
     logger.debug({ cmd, args }, 'composer command');

lib/manager/npm/extract/index.ts

@@ -107,7 +107,7 @@ export async function extractPackageFile(
       npmrc = npmrc.replace(/(^|\n)package-lock.*?(\n|$)/g, '\n');
     }
     if (is.string(npmrc)) {
-      if (npmrc.includes('=${') && getAdminConfig().trustLevel !== 'high') {
+      if (npmrc.includes('=${') && !getAdminConfig().exposeAllEnv) {
         logger.debug('Discarding .npmrc file with variables');
         ignoreNpmrcFile = true;
         npmrc = undefined;

lib/manager/npm/post-update/lerna.spec.ts

@@ -109,7 +109,7 @@ describe(getName(__filename), () => {
     });
     it('allows scripts for trust level high', async () => {
       const execSnapshots = mockExecAll(exec);
-      setAdminConfig({ trustLevel: 'high' });
+      setAdminConfig({ allowScripts: true });
       const res = await lernaHelper.generateLockFiles(
         lernaPkgFile('npm'),
         'some-dir',

lib/manager/npm/post-update/lerna.ts

@@ -72,10 +72,7 @@ export async function generateLockFiles(
       return { error: false };
     }
     let lernaCommand = `lerna bootstrap --no-ci --ignore-scripts -- `;
-    if (
-      getAdminConfig().trustLevel === 'high' &&
-      config.ignoreScripts !== false
-    ) {
+    if (getAdminConfig().allowScripts && config.ignoreScripts !== false) {
       cmdOptions = cmdOptions.replace('--ignore-scripts ', '');
       lernaCommand = lernaCommand.replace('--ignore-scripts ', '');
     }
@@ -96,7 +93,7 @@ export async function generateLockFiles(
       },
     };
     // istanbul ignore if
-    if (getAdminConfig().trustLevel === 'high') {
+    if (getAdminConfig().exposeAllEnv) {
       execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
       execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
     }

lib/manager/npm/post-update/npm.ts

@@ -71,7 +71,7 @@ export async function generateLockFile(
       },
     };
     // istanbul ignore if
-    if (getAdminConfig().trustLevel === 'high') {
+    if (getAdminConfig().exposeAllEnv) {
       execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
       execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
     }