diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md
index 93af532f4906e1cc7ab0d2d972827dcb7d617a1f..7b2bbd01ad6e75fa6f883d56b88c3372bf98df0e 100644
--- a/docs/usage/self-hosted-configuration.md
+++ b/docs/usage/self-hosted-configuration.md
@@ -9,6 +9,8 @@ The configuration options listed in this document are applicable to self-hosted
Please also see [Self-Hosted Experimental Options](./self-hosted-experimental.md).
+## allowCustomCrateRegistries
+
## allowPostUpgradeCommandTemplating
Set to true to allow templating of dependency level post-upgrade commands.
@@ -52,6 +54,8 @@ npm ci --ignore-scripts
npx ng update @angular/core --from=10.0.0 --to=11.0.0 --migrate-only --allow-dirty --force
```
+## allowScripts
+
## allowedPostUpgradeCommands
A list of regular expressions that determine which commands in `postUpgradeTasks` are allowed to be executed.
@@ -186,6 +190,13 @@ e.g.
## endpoint
+## exposeAllEnv
+
+By default, Renovate will only pass a limited set of environment variables to package managers.
+Potentially, there could be leaks of confidential data if a script you don't trust enumerates all values in env, so set this to true only if you trust the repositories which the bot runs against.
+
+Setting this to true will also allow for variable substitution in `.npmrc` files.
+
## force
This object is used as a "force override" when you need to make sure certain configuration overrides whatever is configured in the repository.
@@ -375,13 +386,4 @@ This is currently applicable to `npm` and `lerna`/`npm` only, and only used in c
## token
-## trustLevel
-
-Setting trustLevel to `"high"` can make sense in many self-hosted cases where the bot operator trusts the content in each repository.
-
-Setting trustLevel=high means:
-
-- Child processes are run with full access to `env`
-- `.npmrc` files can have environment variable substitution performed
-
## username
diff --git a/lib/config/__snapshots__/migration.spec.ts.snap b/lib/config/__snapshots__/migration.spec.ts.snap
index 48456d788edf78f8d7c405c559dc77a45a766e40..a9d93e6307f2b31caff366e8e02a71f8a9e0875b 100644
--- a/lib/config/__snapshots__/migration.spec.ts.snap
+++ b/lib/config/__snapshots__/migration.spec.ts.snap
@@ -78,6 +78,8 @@ Array [
exports[`config/migration migrateConfig(config, parentConfig) migrates config 1`] = `
Object {
"additionalBranchPrefix": "{{parentDir}}-",
+ "allowCustomCrateRegistries": true,
+ "allowScripts": true,
"autodiscover": true,
"automerge": false,
"automergeType": "branch",
@@ -94,6 +96,7 @@ Object {
"dependencyDashboard": true,
"dependencyDashboardTitle": "foo",
"enabled": true,
+ "exposeAllEnv": true,
"extends": Array [
":automergeBranch",
"config:js-app",
@@ -109,8 +112,8 @@ Object {
"includeForks": true,
"lockFileMaintenance": Object {
"automerge": true,
+ "exposeAllEnv": false,
"schedule": "before 5am",
- "trustLevel": "low",
},
"major": Object {
"automerge": false,
@@ -243,7 +246,6 @@ Object {
"travis": Object {
"enabled": true,
},
- "trustLevel": "high",
}
`;
diff --git a/lib/config/admin.ts b/lib/config/admin.ts
index 6d6fd61fc69eddb50b0fea01141dc67317436843..feb3701c818dcd698613c5b5a3e2cf3655d6e77b 100644
--- a/lib/config/admin.ts
+++ b/lib/config/admin.ts
@@ -4,15 +4,17 @@ let adminConfig: RepoAdminConfig = {};
// TODO: once admin config work is complete, add a test to make sure this list includes all options with admin=true
export const repoAdminOptions = [
+ 'allowCustomCrateRegistries',
'allowPostUpgradeCommandTemplating',
+ 'allowScripts',
'allowedPostUpgradeCommands',
'customEnvVariables',
'dockerChildPrefix',
'dockerImagePrefix',
'dockerUser',
'dryRun',
+ 'exposeAllEnv',
'privateKey',
- 'trustLevel',
];
export function setAdminConfig(config: RenovateConfig = {}): void {
diff --git a/lib/config/definitions.ts b/lib/config/definitions.ts
index 5bf8d99305ef2bbacecfd8b3074662c83f495bb1..92b85aadaf02aff56b792686ee5c8d1bafa4d369 100644
--- a/lib/config/definitions.ts
+++ b/lib/config/definitions.ts
@@ -473,17 +473,33 @@ const options: RenovateOptions[] = [
default: false,
},
{
- name: 'trustLevel',
+ name: 'exposeAllEnv',
description:
- 'Set this to "high" if the bot should trust the repository owners/contents.',
+ 'Configure this to true to allow passing of all env variables to package managers.',
admin: true,
- type: 'string',
- default: 'low',
+ type: 'boolean',
+ default: false,
+ },
+ {
+ name: 'allowScripts',
+ description:
+ 'Configure this to true if repositories are allowed to run install scripts.',
+ admin: true,
+ type: 'boolean',
+ default: false,
+ },
+ {
+ name: 'allowCustomCrateRegistries',
+ description:
+ 'Configure this to true if custom crate registries are allowed.',
+ admin: true,
+ type: 'boolean',
+ default: false,
},
{
name: 'ignoreScripts',
description:
- 'Configure this to true if trustLevel is high but you wish to skip running scripts when updating lock files.',
+ 'Configure this to true if allowScripts=true but you wish to skip running scripts when updating lock files.',
type: 'boolean',
default: false,
},
diff --git a/lib/config/migration.spec.ts b/lib/config/migration.spec.ts
index 7bd348c5ea4996a320f7968d26a181810918e321..6f19f5c6cacffe68dc63899f3fc68b13e69bc26a 100644
--- a/lib/config/migration.spec.ts
+++ b/lib/config/migration.spec.ts
@@ -56,6 +56,7 @@ describe(getName(__filename), () => {
masterIssueTitle: 'foo',
gomodTidy: true,
upgradeInRange: true,
+ trustLevel: 'high',
automergeType: 'branch-push',
branchName:
'{{{branchPrefix}}}{{{managerBranchPrefix}}}{{{branchTopic}}}{{{baseDir}}}',
diff --git a/lib/config/migration.ts b/lib/config/migration.ts
index 8b4f7ad5b18d5bc7d125a29e5b7ffe60ded77636..32ddd4566b6eaa3b41d9006efb4d0bfc31feb0bf 100644
--- a/lib/config/migration.ts
+++ b/lib/config/migration.ts
@@ -191,11 +191,14 @@ export function migrateConfig(
migratedConfig.rebaseWhen = 'never';
}
} else if (key === 'exposeEnv') {
+ migratedConfig.exposeAllEnv = val;
delete migratedConfig.exposeEnv;
- if (val === true) {
- migratedConfig.trustLevel = 'high';
- } else if (val === false) {
- migratedConfig.trustLevel = 'low';
+ } else if (key === 'trustLevel') {
+ delete migratedConfig.trustLevel;
+ if (val === 'high') {
+ migratedConfig.allowCustomCrateRegistries ??= true;
+ migratedConfig.allowScripts ??= true;
+ migratedConfig.exposeAllEnv ??= true;
}
} else if (
key === 'branchName' &&
diff --git a/lib/config/types.ts b/lib/config/types.ts
index b2c9ca6b37fb420f04b196bf8bc3a47cdc2cae3a..2ef022c21c49b8a90bec37c8efbf733ed04b8724 100644
--- a/lib/config/types.ts
+++ b/lib/config/types.ts
@@ -83,15 +83,17 @@ export interface GlobalOnlyConfig {
// Config options used within the repository worker, but not user configurable
// The below should contain config options where admin=true
export interface RepoAdminConfig {
+ allowCustomCrateRegistries?: boolean;
allowPostUpgradeCommandTemplating?: boolean;
+ allowScripts?: boolean;
allowedPostUpgradeCommands?: string[];
customEnvVariables?: Record<string, string>;
dockerChildPrefix?: string;
dockerImagePrefix?: string;
dockerUser?: string;
dryRun?: boolean;
+ exposeAllEnv?: boolean;
privateKey?: string | Buffer;
- trustLevel?: 'low' | 'high';
}
export interface LegacyAdminConfig {
diff --git a/lib/datasource/crate/__snapshots__/index.spec.ts.snap b/lib/datasource/crate/__snapshots__/index.spec.ts.snap
index 48572b6e73a18d200de9e6fafdbcf945b45a7a93..6e8b60c69915645aea2b54422b69ab49adff5629 100644
--- a/lib/datasource/crate/__snapshots__/index.spec.ts.snap
+++ b/lib/datasource/crate/__snapshots__/index.spec.ts.snap
@@ -331,7 +331,7 @@ Array [
]
`;
-exports[`datasource/crate/index getReleases refuses to clone if trustLevel is not high 1`] = `null`;
+exports[`datasource/crate/index getReleases refuses to clone if allowCustomCrateRegistries is not true 1`] = `null`;
exports[`datasource/crate/index getReleases returns null for 404 1`] = `
Array [
diff --git a/lib/datasource/crate/index.spec.ts b/lib/datasource/crate/index.spec.ts
index a83b9f6293da5673e626348c22d75b333e98aa83..dd8e79fdefb2cbec73214847aa06a7a1ecc88537 100644
--- a/lib/datasource/crate/index.spec.ts
+++ b/lib/datasource/crate/index.spec.ts
@@ -225,7 +225,7 @@ describe(getName(__filename), () => {
expect(res).toBeDefined();
expect(httpMock.getTrace()).toMatchSnapshot();
});
- it('refuses to clone if trustLevel is not high', async () => {
+ it('refuses to clone if allowCustomCrateRegistries is not true', async () => {
const { mockClone } = setupGitMocks();
const url = 'https://dl.cloudsmith.io/basic/myorg/myrepo/cargo/index.git';
@@ -240,7 +240,7 @@ describe(getName(__filename), () => {
});
it('clones cloudsmith private registry', async () => {
const { mockClone } = setupGitMocks();
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowCustomCrateRegistries: true });
const url = 'https://dl.cloudsmith.io/basic/myorg/myrepo/cargo/index.git';
const res = await getPkgReleases({
datasource,
@@ -254,7 +254,7 @@ describe(getName(__filename), () => {
});
it('clones other private registry', async () => {
const { mockClone } = setupGitMocks();
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowCustomCrateRegistries: true });
const url = 'https://github.com/mcorbin/testregistry';
const res = await getPkgReleases({
datasource,
@@ -268,7 +268,7 @@ describe(getName(__filename), () => {
});
it('clones once then reuses the cache', async () => {
const { mockClone } = setupGitMocks();
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowCustomCrateRegistries: true });
const url = 'https://github.com/mcorbin/othertestregistry';
await getPkgReleases({
datasource,
@@ -284,7 +284,7 @@ describe(getName(__filename), () => {
});
it('guards against race conditions while cloning', async () => {
const { mockClone } = setupGitMocks(250);
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowCustomCrateRegistries: true });
const url = 'https://github.com/mcorbin/othertestregistry';
await Promise.all([
@@ -310,7 +310,7 @@ describe(getName(__filename), () => {
});
it('returns null when git clone fails', async () => {
setupErrorGitMock();
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowCustomCrateRegistries: true });
const url = 'https://github.com/mcorbin/othertestregistry';
const result = await getPkgReleases({
diff --git a/lib/datasource/crate/index.ts b/lib/datasource/crate/index.ts
index cce827f726b39f76fa5aab077031f51cc4240499..44d39cb1852829c1352df96b141886a934780bea 100644
--- a/lib/datasource/crate/index.ts
+++ b/lib/datasource/crate/index.ts
@@ -163,9 +163,9 @@ async function fetchRegistryInfo(
};
if (flavor !== RegistryFlavor.CratesIo) {
- if (getAdminConfig().trustLevel !== 'high') {
+ if (!getAdminConfig().allowCustomCrateRegistries) {
logger.warn(
- 'crate datasource: trustLevel=high is required for registries other than crates.io, bailing out'
+ 'crate datasource: allowCustomCrateRegistries=true is required for registries other than crates.io, bailing out'
);
return null;
}
diff --git a/lib/datasource/npm/index.spec.ts b/lib/datasource/npm/index.spec.ts
index 1b630c14be26359edf798d2f70ea2489d7fcd457..d5091d722de3ada6197e3d23132322d98ad659e5 100644
--- a/lib/datasource/npm/index.spec.ts
+++ b/lib/datasource/npm/index.spec.ts
@@ -359,7 +359,7 @@ describe(getName(__filename), () => {
.reply(200, npmResponse);
process.env.REGISTRY = 'https://registry.from-env.com';
process.env.RENOVATE_CACHE_NPM_MINUTES = '15';
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ exposeAllEnv: true });
// eslint-disable-next-line no-template-curly-in-string
const npmrc = 'registry=${REGISTRY}';
const res = await getPkgReleases({ datasource, depName: 'foobar', npmrc });
@@ -368,7 +368,7 @@ describe(getName(__filename), () => {
});
it('should throw error if necessary env var is not present', () => {
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ exposeAllEnv: true });
// eslint-disable-next-line no-template-curly-in-string
expect(() => setNpmrc('registry=${REGISTRY_MISSING}')).toThrow(
Error('env-replace')
diff --git a/lib/datasource/npm/npmrc.spec.ts b/lib/datasource/npm/npmrc.spec.ts
index 186e496972635195b199b9a3bbeb4b8042ce40f2..41fff3d27c3457546344141ee36bfff69559de6b 100644
--- a/lib/datasource/npm/npmrc.spec.ts
+++ b/lib/datasource/npm/npmrc.spec.ts
@@ -38,7 +38,7 @@ describe(getName(__filename), () => {
});
it('sanitize _authtoken with high trust', () => {
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ exposeAllEnv: true });
process.env.TEST_TOKEN = 'test';
setNpmrc(
// eslint-disable-next-line no-template-curly-in-string
diff --git a/lib/datasource/npm/npmrc.ts b/lib/datasource/npm/npmrc.ts
index dae13dfca018521376e65c8242f02352b9d0509d..3641998d365c9ac4e5caa271a382c15b266675b1 100644
--- a/lib/datasource/npm/npmrc.ts
+++ b/lib/datasource/npm/npmrc.ts
@@ -61,13 +61,13 @@ export function setNpmrc(input?: string): void {
npmrcRaw = input;
logger.debug('Setting npmrc');
npmrc = ini.parse(input.replace(/\\n/g, '\n'));
- const { trustLevel } = getAdminConfig();
+ const { exposeAllEnv } = getAdminConfig();
for (const [key, val] of Object.entries(npmrc)) {
- if (trustLevel !== 'high') {
+ if (!exposeAllEnv) {
sanitize(key, val);
}
if (
- trustLevel !== 'high' &&
+ !exposeAllEnv &&
key.endsWith('registry') &&
val &&
val.includes('localhost')
@@ -80,7 +80,7 @@ export function setNpmrc(input?: string): void {
return;
}
}
- if (trustLevel !== 'high') {
+ if (!exposeAllEnv) {
return;
}
for (const key of Object.keys(npmrc)) {
diff --git a/lib/manager/composer/artifacts.spec.ts b/lib/manager/composer/artifacts.spec.ts
index d7798754387c6cd7fbebd66796998bfb2c001c49..fca585b95834329f4f5442157b7aa6caabe771c9 100644
--- a/lib/manager/composer/artifacts.spec.ts
+++ b/lib/manager/composer/artifacts.spec.ts
@@ -30,6 +30,7 @@ const config = {
localDir: join('/tmp/github/some/repo'),
cacheDir: join('/tmp/renovate/cache'),
composerIgnorePlatformReqs: true,
+ ignoreScripts: false,
};
const repoStatus = partial<StatusResult>({
@@ -46,7 +47,7 @@ describe('.updateArtifacts()', () => {
await setUtilConfig(config);
docker.resetPrefetchedImages();
hostRules.clear();
- setAdminConfig();
+ setAdminConfig({ allowScripts: false });
});
it('returns if no composer.lock found', async () => {
expect(
@@ -63,7 +64,7 @@ describe('.updateArtifacts()', () => {
const execSnapshots = mockExecAll(exec);
fs.readLocalFile.mockReturnValueOnce('Current composer.lock' as any);
git.getRepoStatus.mockResolvedValue(repoStatus);
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowScripts: true });
expect(
await composer.updateArtifacts({
packageFileName: 'composer.json',
diff --git a/lib/manager/composer/artifacts.ts b/lib/manager/composer/artifacts.ts
index 9515106780c284395ecdb57450ad3c783f41e1f3..bffbe7510c707e678c753a5b4918e94ea4406384 100644
--- a/lib/manager/composer/artifacts.ts
+++ b/lib/manager/composer/artifacts.ts
@@ -151,7 +151,7 @@ export async function updateArtifacts({
args += ' --ignore-platform-reqs';
}
args += ' --no-ansi --no-interaction';
- if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) {
+ if (!getAdminConfig().allowScripts || config.ignoreScripts) {
args += ' --no-scripts --no-autoloader';
}
logger.debug({ cmd, args }, 'composer command');
diff --git a/lib/manager/npm/extract/index.ts b/lib/manager/npm/extract/index.ts
index 7bccc130f11d2a22a48a4834766b06828309254d..aacf7d55444bef4f1328d0bba6510e3125ffb5c1 100644
--- a/lib/manager/npm/extract/index.ts
+++ b/lib/manager/npm/extract/index.ts
@@ -107,7 +107,7 @@ export async function extractPackageFile(
npmrc = npmrc.replace(/(^|\n)package-lock.*?(\n|$)/g, '\n');
}
if (is.string(npmrc)) {
- if (npmrc.includes('=${') && getAdminConfig().trustLevel !== 'high') {
+ if (npmrc.includes('=${') && !getAdminConfig().exposeAllEnv) {
logger.debug('Discarding .npmrc file with variables');
ignoreNpmrcFile = true;
npmrc = undefined;
diff --git a/lib/manager/npm/post-update/lerna.spec.ts b/lib/manager/npm/post-update/lerna.spec.ts
index 0dddb7c585fe5de571e16d0aae9da790e6451d41..b5a596d671bbc599254e8c32ae6c26e9beca79e0 100644
--- a/lib/manager/npm/post-update/lerna.spec.ts
+++ b/lib/manager/npm/post-update/lerna.spec.ts
@@ -109,7 +109,7 @@ describe(getName(__filename), () => {
});
it('allows scripts for trust level high', async () => {
const execSnapshots = mockExecAll(exec);
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowScripts: true });
const res = await lernaHelper.generateLockFiles(
lernaPkgFile('npm'),
'some-dir',
diff --git a/lib/manager/npm/post-update/lerna.ts b/lib/manager/npm/post-update/lerna.ts
index acba413c40c10821ae0104846c6a77251a46f4b1..2ce9e38d4a83620ab0c19bece36c9b55931e9916 100644
--- a/lib/manager/npm/post-update/lerna.ts
+++ b/lib/manager/npm/post-update/lerna.ts
@@ -72,10 +72,7 @@ export async function generateLockFiles(
return { error: false };
}
let lernaCommand = `lerna bootstrap --no-ci --ignore-scripts -- `;
- if (
- getAdminConfig().trustLevel === 'high' &&
- config.ignoreScripts !== false
- ) {
+ if (getAdminConfig().allowScripts && config.ignoreScripts !== false) {
cmdOptions = cmdOptions.replace('--ignore-scripts ', '');
lernaCommand = lernaCommand.replace('--ignore-scripts ', '');
}
@@ -96,7 +93,7 @@ export async function generateLockFiles(
},
};
// istanbul ignore if
- if (getAdminConfig().trustLevel === 'high') {
+ if (getAdminConfig().exposeAllEnv) {
execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
}
diff --git a/lib/manager/npm/post-update/npm.ts b/lib/manager/npm/post-update/npm.ts
index 0025d620fe4c76e9c6d9ec2c47bdfa735876c6ae..a11bce39231f08fe835af83f338e934baf17e2ca 100644
--- a/lib/manager/npm/post-update/npm.ts
+++ b/lib/manager/npm/post-update/npm.ts
@@ -71,7 +71,7 @@ export async function generateLockFile(
},
};
// istanbul ignore if
- if (getAdminConfig().trustLevel === 'high') {
+ if (getAdminConfig().exposeAllEnv) {
execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
}
diff --git a/lib/manager/npm/post-update/pnpm.ts b/lib/manager/npm/post-update/pnpm.ts
index 6541a412870a233dbd15e80c08d81cf50d48cca9..b9842631f96f53497d7383f02541b4f6ec7c8e1e 100644
--- a/lib/manager/npm/post-update/pnpm.ts
+++ b/lib/manager/npm/post-update/pnpm.ts
@@ -50,7 +50,7 @@ export async function generateLockFile(
},
};
// istanbul ignore if
- if (getAdminConfig().trustLevel === 'high') {
+ if (getAdminConfig().exposeAllEnv) {
execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
}
@@ -62,7 +62,7 @@ export async function generateLockFile(
}
cmd = 'pnpm';
let args = 'install --recursive --lockfile-only';
- if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) {
+ if (!getAdminConfig().allowScripts || config.ignoreScripts) {
args += ' --ignore-scripts';
args += ' --ignore-pnpmfile';
}
diff --git a/lib/manager/npm/post-update/yarn.ts b/lib/manager/npm/post-update/yarn.ts
index 34aed8c7cdbf68d1d0b9e8284c1bc980767d9651..5e7d4958273365ad08cc3fba777b7cc23d82c58e 100644
--- a/lib/manager/npm/post-update/yarn.ts
+++ b/lib/manager/npm/post-update/yarn.ts
@@ -102,7 +102,7 @@ export async function generateLockFile(
extraEnv.YARN_ENABLE_IMMUTABLE_INSTALLS = 'false';
extraEnv.YARN_HTTP_TIMEOUT = '100000';
}
- if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) {
+ if (!getAdminConfig().allowScripts || config.ignoreScripts) {
if (isYarn1) {
cmdOptions += ' --ignore-scripts';
} else {
@@ -121,7 +121,7 @@ export async function generateLockFile(
},
};
// istanbul ignore if
- if (getAdminConfig().trustLevel === 'high') {
+ if (getAdminConfig().exposeAllEnv) {
execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
}
diff --git a/lib/manager/pip_requirements/extract.spec.ts b/lib/manager/pip_requirements/extract.spec.ts
index 6226ab5fc424da33142839f75cae892b04894c90..9607c03eebc135073ed750238184fed2105da2ba 100644
--- a/lib/manager/pip_requirements/extract.spec.ts
+++ b/lib/manager/pip_requirements/extract.spec.ts
@@ -129,7 +129,7 @@ describe(getName(__filename), () => {
});
it('should replace env vars in high trust mode', () => {
process.env.PIP_TEST_TOKEN = 'its-a-secret';
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ exposeAllEnv: true });
const res = extractPackageFile(requirements7, 'unused_file_name', {});
expect(res.registryUrls).toEqual([
'https://pypi.org/pypi/',
diff --git a/lib/manager/pip_requirements/extract.ts b/lib/manager/pip_requirements/extract.ts
index 87e2ffaec01963d6961b32f84e43567b1db46c3f..87fc491b410ce2d776a0e49b2dc0bab3192601f6 100644
--- a/lib/manager/pip_requirements/extract.ts
+++ b/lib/manager/pip_requirements/extract.ts
@@ -84,7 +84,7 @@ export function extractPackageFile(
res.registryUrls = registryUrls.map((url) => {
// handle the optional quotes in eg. `--extra-index-url "https://foo.bar"`
const cleaned = url.replace(/^"/, '').replace(/"$/, '');
- if (getAdminConfig().trustLevel !== 'high') {
+ if (!getAdminConfig().exposeAllEnv) {
return cleaned;
}
// interpolate any environment variables
diff --git a/lib/util/exec/env.spec.ts b/lib/util/exec/env.spec.ts
index e3a0eabc258ad3e92f1f6bb32ba1eb01386c3c19..ebc1c16900a513423e15850c6bbda3dc6f69f9bc 100644
--- a/lib/util/exec/env.spec.ts
+++ b/lib/util/exec/env.spec.ts
@@ -58,7 +58,7 @@ describe('getChildProcess environment when trustlevel set to low', () => {
describe('getChildProcessEnv when trustlevel set to high', () => {
it('returns process.env if trustlevel set to high', () => {
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ exposeAllEnv: true });
expect(getChildProcessEnv()).toMatchObject(process.env);
});
});
diff --git a/lib/util/exec/env.ts b/lib/util/exec/env.ts
index 38950e4e867a955c74566868c70a524894d598cb..faffd61bf8152631c87d651775975781671f743b 100644
--- a/lib/util/exec/env.ts
+++ b/lib/util/exec/env.ts
@@ -17,7 +17,7 @@ export function getChildProcessEnv(
customEnvVars: string[] = []
): NodeJS.ProcessEnv {
const env: NodeJS.ProcessEnv = {};
- if (getAdminConfig().trustLevel === 'high') {
+ if (getAdminConfig().exposeAllEnv) {
return { ...env, ...process.env };
}
const envVars = [...basicEnvVars, ...customEnvVars];
diff --git a/lib/util/exec/exec.spec.ts b/lib/util/exec/exec.spec.ts
index f5a67fbda532842d204835399d903dfefd4ab3f0..e5db81a628a4e873a0ee73d22fc9b8ab086bcea8 100644
--- a/lib/util/exec/exec.spec.ts
+++ b/lib/util/exec/exec.spec.ts
@@ -194,7 +194,7 @@ describe(getName(__filename), () => {
maxBuffer: 10485760,
},
],
- adminConfig: { trustLevel: 'high' },
+ adminConfig: { exposeAllEnv: true },
},
],
diff --git a/lib/workers/branch/index.spec.ts b/lib/workers/branch/index.spec.ts
index a38f6cce331b9940414453eac3466487bd8cb5c5..73d68242507905d3c87d0c6ad22c2de7cc51dc78 100644
--- a/lib/workers/branch/index.spec.ts
+++ b/lib/workers/branch/index.spec.ts
@@ -736,7 +736,7 @@ describe(getName(__filename), () => {
const adminConfig = {
allowedPostUpgradeCommands: ['^echo {{{versioning}}}$'],
allowPostUpgradeCommandTemplating: true,
- trustLevel: 'high',
+ exposeAllEnv: true,
};
setAdminConfig(adminConfig);
@@ -816,7 +816,7 @@ describe(getName(__filename), () => {
const adminConfig = {
allowedPostUpgradeCommands: ['^exit 1$'],
allowPostUpgradeCommandTemplating: true,
- trustLevel: 'high',
+ exposeAllEnv: true,
};
setAdminConfig(adminConfig);
@@ -885,7 +885,7 @@ describe(getName(__filename), () => {
const adminConfig = {
allowedPostUpgradeCommands: ['^echo {{{versioning}}}$'],
allowPostUpgradeCommandTemplating: false,
- trustLevel: 'high',
+ exposeAllEnv: true,
};
setAdminConfig(adminConfig);
const result = await branchWorker.processBranch({
@@ -965,7 +965,7 @@ describe(getName(__filename), () => {
const adminConfig = {
allowedPostUpgradeCommands: ['^echo {{{depName}}}$'],
allowPostUpgradeCommandTemplating: true,
- trustLevel: 'high',
+ exposeAllEnv: true,
};
setAdminConfig(adminConfig);