[bug] Environment variable value cannot contain = #1231

cfergeau · 2022-11-15T09:44:25Z

Describe the bug
I'm following the steps from https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md in order to use SLSA in my project
When building [my project](https://gtihub.com/cfergeau/vfkit/tree/slsa] I want to set CGO_CFLAGS=-mmacosx-version-min=11.0 in the environment.
I added this to my .slsa-goreleaser.yml:

env:
  - CGO_ENABLED=1
  - CGO_CFLAGS=-mmacosx-version-min=11.0

but the 'build dry project' step fails with invalid environment variable: CGO_CFLAGS=-mmacosx-version-min=11.0
https://github.com/cfergeau/vfkit/actions/runs/3469089554/jobs/5795684619

This seems to be caused by this code

slsa-github-generator/internal/builders/go/pkg/config.go

Lines 170 to 173 in eb79b8b

    
           es := strings.Split(e, "=") 
        
           if len(es) != 2 { 
        
           	return fmt.Errorf("%w: %s", ErrorInvalidEnvironmentVariable, e) 
        
           }

which do not expect the env var line to contain 2 = signs.

To Reproduce
Steps to reproduce the behavior:

Add a env: -CGO_CFLAGS=a=b line to your .slsa-goreleaser-yml
Trigger the slsa github actions workflow

Expected behavior
I think a change such as this one would let me use = in env vars.

diff --git a/internal/builders/go/pkg/config.go b/internal/builders/go/pkg/config.go
index 1df1bf7..eba3e39 100644
--- a/internal/builders/go/pkg/config.go
+++ b/internal/builders/go/pkg/config.go
@@ -167,11 +167,11 @@ func validateVersion(cf *goReleaserConfigFile) error {
 func (r *GoReleaserConfig) setEnvs(cf *goReleaserConfigFile) error {
 	m := make(map[string]string)
 	for _, e := range cf.Env {
-		es := strings.Split(e, "=")
-		if len(es) != 2 {
+		name, value, present := strings.Cut(e, "=")
+		if value == "" || !present {
 			return fmt.Errorf("%w: %s", ErrorInvalidEnvironmentVariable, e)
 		}
-		m[es[0]] = es[1]
+		m[name] = value
 	}
 
 	if len(m) > 0 {

The text was updated successfully, but these errors were encountered:

asraa · 2022-11-15T16:02:07Z

Thanks! I think your proposed code snippet is correct, and I'm in support of making this change.
@laurentsimon

laurentsimon · 2022-11-15T16:20:09Z

+1, good catch and thanks for filing the bug. Do you want to send a PR for this?

cfergeau · 2022-11-15T16:24:12Z

Sure, I'll send a PR!

If .slsa-goreleaser.yml contains an env var with multiple '=' signs: ``` env: - CGO_ENABLED=1 - CGO_CFLAGS=-mmacosx-version-min=11.0 ``` the 'build dry project' GH workflow step fails with "invalid environment variable: CGO_CFLAGS=-mmacosx-version-min=11.0" This is caused by the way the env vars are parsed in GoReleaserConfig:setEnvs which only allow for a single '=' sign. This commit fixes this by splitting the env string at the first equal sign, first part is the env var name and won't contain '=' signs, second part is its value and can contain any number of '='. This also adds unit tests for this situation, and for env vars with no values (`CGO_CFLAGS=`). This fixes slsa-framework#1231

If .slsa-goreleaser.yml contains an env var with multiple '=' signs: ``` env: - CGO_ENABLED=1 - CGO_CFLAGS=-mmacosx-version-min=11.0 ``` the 'build dry project' GH workflow step fails with "invalid environment variable: CGO_CFLAGS=-mmacosx-version-min=11.0" This is caused by the way the env vars are parsed in GoReleaserConfig:setEnvs which only allow for a single '=' sign. This commit fixes this by splitting the env string at the first equal sign, first part is the env var name and won't contain '=' signs, second part is its value and can contain any number of '='. This also adds unit tests for this situation, and for env vars with no values (`CGO_CFLAGS=`). This fixes slsa-framework#1231 Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>

If .slsa-goreleaser.yml contains an env var with multiple '=' signs: ``` env: - CGO_ENABLED=1 - CGO_CFLAGS=-mmacosx-version-min=11.0 ``` the 'build dry project' GH workflow step fails with "invalid environment variable: CGO_CFLAGS=-mmacosx-version-min=11.0" This is caused by the way the env vars are parsed in GoReleaserConfig:setEnvs which only allow for a single '=' sign. This commit fixes this by splitting the env string at the first equal sign, first part is the env var name and won't contain '=' signs, second part is its value and can contain any number of '='. This also adds unit tests for this situation, and for env vars with no values (`CGO_CFLAGS=`). This fixes #1231 Signed-off-by: Christophe Fergeau <cfergeau@redhat.com> Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>

cfergeau added status:triage Issue that has not been triaged type:bug Something isn't working labels Nov 15, 2022

ianlewis added area:go Issue related to the Go ecosystem and removed status:triage Issue that has not been triaged labels Nov 16, 2022

cfergeau mentioned this issue Nov 16, 2022

builder: go: Allow equal signs in env vars #1232

Merged

laurentsimon closed this as completed in #1232 Nov 16, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[bug] Environment variable value cannot contain = #1231

[bug] Environment variable value cannot contain = #1231

cfergeau commented Nov 15, 2022

asraa commented Nov 15, 2022

laurentsimon commented Nov 15, 2022

cfergeau commented Nov 15, 2022

[bug] Environment variable value cannot contain = #1231

[bug] Environment variable value cannot contain = #1231

Comments

cfergeau commented Nov 15, 2022

asraa commented Nov 15, 2022

laurentsimon commented Nov 15, 2022

cfergeau commented Nov 15, 2022