From 8af905e8f5ddc5f48360a15f6e7226f79c9e57aa Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Thu, 15 Apr 2021 22:15:30 +0200
Subject: [PATCH] feat: split trustLevel into separate options (#9388)
Removes trustLevel and replaces it with 3 other options instead. No longer necessary to set anything additional is configuring `allowedPostUpgradeCommands`
BREAKING CHANGE: `trustLevel` is no longer supported and instead broken into `allowCustomCrateRegistries` , `allowScripts` , and `exposeAllEnv`.
---
docs/usage/self-hosted-configuration.md | 20 +++++++-------
.../__snapshots__/migration.spec.ts.snap | 6 +++--
lib/config/admin.ts | 4 ++-
lib/config/definitions.ts | 26 +++++++++++++++----
lib/config/migration.spec.ts | 1 +
lib/config/migration.ts | 11 +++++---
lib/config/types.ts | 4 ++-
.../crate/__snapshots__/index.spec.ts.snap | 2 +-
lib/datasource/crate/index.spec.ts | 12 ++++-----
lib/datasource/crate/index.ts | 4 +--
lib/datasource/npm/index.spec.ts | 4 +--
lib/datasource/npm/npmrc.spec.ts | 2 +-
lib/datasource/npm/npmrc.ts | 8 +++---
lib/manager/composer/artifacts.spec.ts | 5 ++--
lib/manager/composer/artifacts.ts | 2 +-
lib/manager/npm/extract/index.ts | 2 +-
lib/manager/npm/post-update/lerna.spec.ts | 2 +-
lib/manager/npm/post-update/lerna.ts | 7 ++---
lib/manager/npm/post-update/npm.ts | 2 +-
lib/manager/npm/post-update/pnpm.ts | 4 +--
lib/manager/npm/post-update/yarn.ts | 4 +--
lib/manager/pip_requirements/extract.spec.ts | 2 +-
lib/manager/pip_requirements/extract.ts | 2 +-
lib/util/exec/env.spec.ts | 2 +-
lib/util/exec/env.ts | 2 +-
lib/util/exec/exec.spec.ts | 2 +-
lib/workers/branch/index.spec.ts | 8 +++---
27 files changed, 88 insertions(+), 62 deletions(-)
diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md
index 93af532f49..7b2bbd01ad 100644
--- a/docs/usage/self-hosted-configuration.md
+++ b/docs/usage/self-hosted-configuration.md
@@ -9,6 +9,8 @@ The configuration options listed in this document are applicable to self-hosted
Please also see [Self-Hosted Experimental Options](./self-hosted-experimental.md).
+## allowCustomCrateRegistries
+
## allowPostUpgradeCommandTemplating
Set to true to allow templating of dependency level post-upgrade commands.
@@ -52,6 +54,8 @@ npm ci --ignore-scripts
npx ng update @angular/core --from=10.0.0 --to=11.0.0 --migrate-only --allow-dirty --force
```
+## allowScripts
+
## allowedPostUpgradeCommands
A list of regular expressions that determine which commands in `postUpgradeTasks` are allowed to be executed.
@@ -186,6 +190,13 @@ e.g.
## endpoint
+## exposeAllEnv
+
+By default, Renovate will only pass a limited set of environment variables to package managers.
+Potentially, there could be leaks of confidential data if a script you don't trust enumerates all values in env, so set this to true only if you trust the repositories which the bot runs against.
+
+Setting this to true will also allow for variable substitution in `.npmrc` files.
+
## force
This object is used as a "force override" when you need to make sure certain configuration overrides whatever is configured in the repository.
@@ -375,13 +386,4 @@ This is currently applicable to `npm` and `lerna`/`npm` only, and only used in c
## token
-## trustLevel
-
-Setting trustLevel to `"high"` can make sense in many self-hosted cases where the bot operator trusts the content in each repository.
-
-Setting trustLevel=high means:
-
-- Child processes are run with full access to `env`
-- `.npmrc` files can have environment variable substitution performed
-
## username
diff --git a/lib/config/__snapshots__/migration.spec.ts.snap b/lib/config/__snapshots__/migration.spec.ts.snap
index 48456d788e..a9d93e6307 100644
--- a/lib/config/__snapshots__/migration.spec.ts.snap
+++ b/lib/config/__snapshots__/migration.spec.ts.snap
@@ -78,6 +78,8 @@ Array [
exports[`config/migration migrateConfig(config, parentConfig) migrates config 1`] = `
Object {
"additionalBranchPrefix": "{{parentDir}}-",
+ "allowCustomCrateRegistries": true,
+ "allowScripts": true,
"autodiscover": true,
"automerge": false,
"automergeType": "branch",
@@ -94,6 +96,7 @@ Object {
"dependencyDashboard": true,
"dependencyDashboardTitle": "foo",
"enabled": true,
+ "exposeAllEnv": true,
"extends": Array [
":automergeBranch",
"config:js-app",
@@ -109,8 +112,8 @@ Object {
"includeForks": true,
"lockFileMaintenance": Object {
"automerge": true,
+ "exposeAllEnv": false,
"schedule": "before 5am",
- "trustLevel": "low",
},
"major": Object {
"automerge": false,
@@ -243,7 +246,6 @@ Object {
"travis": Object {
"enabled": true,
},
- "trustLevel": "high",
}
`;
diff --git a/lib/config/admin.ts b/lib/config/admin.ts
index 6d6fd61fc6..feb3701c81 100644
--- a/lib/config/admin.ts
+++ b/lib/config/admin.ts
@@ -4,15 +4,17 @@ let adminConfig: RepoAdminConfig = {};
// TODO: once admin config work is complete, add a test to make sure this list includes all options with admin=true
export const repoAdminOptions = [
+ 'allowCustomCrateRegistries',
'allowPostUpgradeCommandTemplating',
+ 'allowScripts',
'allowedPostUpgradeCommands',
'customEnvVariables',
'dockerChildPrefix',
'dockerImagePrefix',
'dockerUser',
'dryRun',
+ 'exposeAllEnv',
'privateKey',
- 'trustLevel',
];
export function setAdminConfig(config: RenovateConfig = {}): void {
diff --git a/lib/config/definitions.ts b/lib/config/definitions.ts
index 5bf8d99305..92b85aadaf 100644
--- a/lib/config/definitions.ts
+++ b/lib/config/definitions.ts
@@ -473,17 +473,33 @@ const options: RenovateOptions[] = [
default: false,
},
{
- name: 'trustLevel',
+ name: 'exposeAllEnv',
description:
- 'Set this to "high" if the bot should trust the repository owners/contents.',
+ 'Configure this to true to allow passing of all env variables to package managers.',
admin: true,
- type: 'string',
- default: 'low',
+ type: 'boolean',
+ default: false,
+ },
+ {
+ name: 'allowScripts',
+ description:
+ 'Configure this to true if repositories are allowed to run install scripts.',
+ admin: true,
+ type: 'boolean',
+ default: false,
+ },
+ {
+ name: 'allowCustomCrateRegistries',
+ description:
+ 'Configure this to true if custom crate registries are allowed.',
+ admin: true,
+ type: 'boolean',
+ default: false,
},
{
name: 'ignoreScripts',
description:
- 'Configure this to true if trustLevel is high but you wish to skip running scripts when updating lock files.',
+ 'Configure this to true if allowScripts=true but you wish to skip running scripts when updating lock files.',
type: 'boolean',
default: false,
},
diff --git a/lib/config/migration.spec.ts b/lib/config/migration.spec.ts
index 7bd348c5ea..6f19f5c6ca 100644
--- a/lib/config/migration.spec.ts
+++ b/lib/config/migration.spec.ts
@@ -56,6 +56,7 @@ describe(getName(__filename), () => {
masterIssueTitle: 'foo',
gomodTidy: true,
upgradeInRange: true,
+ trustLevel: 'high',
automergeType: 'branch-push',
branchName:
'{{{branchPrefix}}}{{{managerBranchPrefix}}}{{{branchTopic}}}{{{baseDir}}}',
diff --git a/lib/config/migration.ts b/lib/config/migration.ts
index 8b4f7ad5b1..32ddd4566b 100644
--- a/lib/config/migration.ts
+++ b/lib/config/migration.ts
@@ -191,11 +191,14 @@ export function migrateConfig(
migratedConfig.rebaseWhen = 'never';
}
} else if (key === 'exposeEnv') {
+ migratedConfig.exposeAllEnv = val;
delete migratedConfig.exposeEnv;
- if (val === true) {
- migratedConfig.trustLevel = 'high';
- } else if (val === false) {
- migratedConfig.trustLevel = 'low';
+ } else if (key === 'trustLevel') {
+ delete migratedConfig.trustLevel;
+ if (val === 'high') {
+ migratedConfig.allowCustomCrateRegistries ??= true;
+ migratedConfig.allowScripts ??= true;
+ migratedConfig.exposeAllEnv ??= true;
}
} else if (
key === 'branchName' &&
diff --git a/lib/config/types.ts b/lib/config/types.ts
index b2c9ca6b37..2ef022c21c 100644
--- a/lib/config/types.ts
+++ b/lib/config/types.ts
@@ -83,15 +83,17 @@ export interface GlobalOnlyConfig {
// Config options used within the repository worker, but not user configurable
// The below should contain config options where admin=true
export interface RepoAdminConfig {
+ allowCustomCrateRegistries?: boolean;
allowPostUpgradeCommandTemplating?: boolean;
+ allowScripts?: boolean;
allowedPostUpgradeCommands?: string[];
customEnvVariables?: Record<string, string>;
dockerChildPrefix?: string;
dockerImagePrefix?: string;
dockerUser?: string;
dryRun?: boolean;
+ exposeAllEnv?: boolean;
privateKey?: string | Buffer;
- trustLevel?: 'low' | 'high';
}
export interface LegacyAdminConfig {
diff --git a/lib/datasource/crate/__snapshots__/index.spec.ts.snap b/lib/datasource/crate/__snapshots__/index.spec.ts.snap
index 48572b6e73..6e8b60c699 100644
--- a/lib/datasource/crate/__snapshots__/index.spec.ts.snap
+++ b/lib/datasource/crate/__snapshots__/index.spec.ts.snap
@@ -331,7 +331,7 @@ Array [
]
`;
-exports[`datasource/crate/index getReleases refuses to clone if trustLevel is not high 1`] = `null`;
+exports[`datasource/crate/index getReleases refuses to clone if allowCustomCrateRegistries is not true 1`] = `null`;
exports[`datasource/crate/index getReleases returns null for 404 1`] = `
Array [
diff --git a/lib/datasource/crate/index.spec.ts b/lib/datasource/crate/index.spec.ts
index a83b9f6293..dd8e79fdef 100644
--- a/lib/datasource/crate/index.spec.ts
+++ b/lib/datasource/crate/index.spec.ts
@@ -225,7 +225,7 @@ describe(getName(__filename), () => {
expect(res).toBeDefined();
expect(httpMock.getTrace()).toMatchSnapshot();
});
- it('refuses to clone if trustLevel is not high', async () => {
+ it('refuses to clone if allowCustomCrateRegistries is not true', async () => {
const { mockClone } = setupGitMocks();
const url = 'https://dl.cloudsmith.io/basic/myorg/myrepo/cargo/index.git';
@@ -240,7 +240,7 @@ describe(getName(__filename), () => {
});
it('clones cloudsmith private registry', async () => {
const { mockClone } = setupGitMocks();
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowCustomCrateRegistries: true });
const url = 'https://dl.cloudsmith.io/basic/myorg/myrepo/cargo/index.git';
const res = await getPkgReleases({
datasource,
@@ -254,7 +254,7 @@ describe(getName(__filename), () => {
});
it('clones other private registry', async () => {
const { mockClone } = setupGitMocks();
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowCustomCrateRegistries: true });
const url = 'https://github.com/mcorbin/testregistry';
const res = await getPkgReleases({
datasource,
@@ -268,7 +268,7 @@ describe(getName(__filename), () => {
});
it('clones once then reuses the cache', async () => {
const { mockClone } = setupGitMocks();
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowCustomCrateRegistries: true });
const url = 'https://github.com/mcorbin/othertestregistry';
await getPkgReleases({
datasource,
@@ -284,7 +284,7 @@ describe(getName(__filename), () => {
});
it('guards against race conditions while cloning', async () => {
const { mockClone } = setupGitMocks(250);
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowCustomCrateRegistries: true });
const url = 'https://github.com/mcorbin/othertestregistry';
await Promise.all([
@@ -310,7 +310,7 @@ describe(getName(__filename), () => {
});
it('returns null when git clone fails', async () => {
setupErrorGitMock();
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowCustomCrateRegistries: true });
const url = 'https://github.com/mcorbin/othertestregistry';
const result = await getPkgReleases({
diff --git a/lib/datasource/crate/index.ts b/lib/datasource/crate/index.ts
index cce827f726..44d39cb185 100644
--- a/lib/datasource/crate/index.ts
+++ b/lib/datasource/crate/index.ts
@@ -163,9 +163,9 @@ async function fetchRegistryInfo(
};
if (flavor !== RegistryFlavor.CratesIo) {
- if (getAdminConfig().trustLevel !== 'high') {
+ if (!getAdminConfig().allowCustomCrateRegistries) {
logger.warn(
- 'crate datasource: trustLevel=high is required for registries other than crates.io, bailing out'
+ 'crate datasource: allowCustomCrateRegistries=true is required for registries other than crates.io, bailing out'
);
return null;
}
diff --git a/lib/datasource/npm/index.spec.ts b/lib/datasource/npm/index.spec.ts
index 1b630c14be..d5091d722d 100644
--- a/lib/datasource/npm/index.spec.ts
+++ b/lib/datasource/npm/index.spec.ts
@@ -359,7 +359,7 @@ describe(getName(__filename), () => {
.reply(200, npmResponse);
process.env.REGISTRY = 'https://registry.from-env.com';
process.env.RENOVATE_CACHE_NPM_MINUTES = '15';
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ exposeAllEnv: true });
// eslint-disable-next-line no-template-curly-in-string
const npmrc = 'registry=${REGISTRY}';
const res = await getPkgReleases({ datasource, depName: 'foobar', npmrc });
@@ -368,7 +368,7 @@ describe(getName(__filename), () => {
});
it('should throw error if necessary env var is not present', () => {
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ exposeAllEnv: true });
// eslint-disable-next-line no-template-curly-in-string
expect(() => setNpmrc('registry=${REGISTRY_MISSING}')).toThrow(
Error('env-replace')
diff --git a/lib/datasource/npm/npmrc.spec.ts b/lib/datasource/npm/npmrc.spec.ts
index 186e496972..41fff3d27c 100644
--- a/lib/datasource/npm/npmrc.spec.ts
+++ b/lib/datasource/npm/npmrc.spec.ts
@@ -38,7 +38,7 @@ describe(getName(__filename), () => {
});
it('sanitize _authtoken with high trust', () => {
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ exposeAllEnv: true });
process.env.TEST_TOKEN = 'test';
setNpmrc(
// eslint-disable-next-line no-template-curly-in-string
diff --git a/lib/datasource/npm/npmrc.ts b/lib/datasource/npm/npmrc.ts
index dae13dfca0..3641998d36 100644
--- a/lib/datasource/npm/npmrc.ts
+++ b/lib/datasource/npm/npmrc.ts
@@ -61,13 +61,13 @@ export function setNpmrc(input?: string): void {
npmrcRaw = input;
logger.debug('Setting npmrc');
npmrc = ini.parse(input.replace(/\\n/g, '\n'));
- const { trustLevel } = getAdminConfig();
+ const { exposeAllEnv } = getAdminConfig();
for (const [key, val] of Object.entries(npmrc)) {
- if (trustLevel !== 'high') {
+ if (!exposeAllEnv) {
sanitize(key, val);
}
if (
- trustLevel !== 'high' &&
+ !exposeAllEnv &&
key.endsWith('registry') &&
val &&
val.includes('localhost')
@@ -80,7 +80,7 @@ export function setNpmrc(input?: string): void {
return;
}
}
- if (trustLevel !== 'high') {
+ if (!exposeAllEnv) {
return;
}
for (const key of Object.keys(npmrc)) {
diff --git a/lib/manager/composer/artifacts.spec.ts b/lib/manager/composer/artifacts.spec.ts
index d779875438..fca585b958 100644
--- a/lib/manager/composer/artifacts.spec.ts
+++ b/lib/manager/composer/artifacts.spec.ts
@@ -30,6 +30,7 @@ const config = {
localDir: join('/tmp/github/some/repo'),
cacheDir: join('/tmp/renovate/cache'),
composerIgnorePlatformReqs: true,
+ ignoreScripts: false,
};
const repoStatus = partial<StatusResult>({
@@ -46,7 +47,7 @@ describe('.updateArtifacts()', () => {
await setUtilConfig(config);
docker.resetPrefetchedImages();
hostRules.clear();
- setAdminConfig();
+ setAdminConfig({ allowScripts: false });
});
it('returns if no composer.lock found', async () => {
expect(
@@ -63,7 +64,7 @@ describe('.updateArtifacts()', () => {
const execSnapshots = mockExecAll(exec);
fs.readLocalFile.mockReturnValueOnce('Current composer.lock' as any);
git.getRepoStatus.mockResolvedValue(repoStatus);
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowScripts: true });
expect(
await composer.updateArtifacts({
packageFileName: 'composer.json',
diff --git a/lib/manager/composer/artifacts.ts b/lib/manager/composer/artifacts.ts
index 9515106780..bffbe7510c 100644
--- a/lib/manager/composer/artifacts.ts
+++ b/lib/manager/composer/artifacts.ts
@@ -151,7 +151,7 @@ export async function updateArtifacts({
args += ' --ignore-platform-reqs';
}
args += ' --no-ansi --no-interaction';
- if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) {
+ if (!getAdminConfig().allowScripts || config.ignoreScripts) {
args += ' --no-scripts --no-autoloader';
}
logger.debug({ cmd, args }, 'composer command');
diff --git a/lib/manager/npm/extract/index.ts b/lib/manager/npm/extract/index.ts
index 7bccc130f1..aacf7d5544 100644
--- a/lib/manager/npm/extract/index.ts
+++ b/lib/manager/npm/extract/index.ts
@@ -107,7 +107,7 @@ export async function extractPackageFile(
npmrc = npmrc.replace(/(^|\n)package-lock.*?(\n|$)/g, '\n');
}
if (is.string(npmrc)) {
- if (npmrc.includes('=${') && getAdminConfig().trustLevel !== 'high') {
+ if (npmrc.includes('=${') && !getAdminConfig().exposeAllEnv) {
logger.debug('Discarding .npmrc file with variables');
ignoreNpmrcFile = true;
npmrc = undefined;
diff --git a/lib/manager/npm/post-update/lerna.spec.ts b/lib/manager/npm/post-update/lerna.spec.ts
index 0dddb7c585..b5a596d671 100644
--- a/lib/manager/npm/post-update/lerna.spec.ts
+++ b/lib/manager/npm/post-update/lerna.spec.ts
@@ -109,7 +109,7 @@ describe(getName(__filename), () => {
});
it('allows scripts for trust level high', async () => {
const execSnapshots = mockExecAll(exec);
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ allowScripts: true });
const res = await lernaHelper.generateLockFiles(
lernaPkgFile('npm'),
'some-dir',
diff --git a/lib/manager/npm/post-update/lerna.ts b/lib/manager/npm/post-update/lerna.ts
index acba413c40..2ce9e38d4a 100644
--- a/lib/manager/npm/post-update/lerna.ts
+++ b/lib/manager/npm/post-update/lerna.ts
@@ -72,10 +72,7 @@ export async function generateLockFiles(
return { error: false };
}
let lernaCommand = `lerna bootstrap --no-ci --ignore-scripts -- `;
- if (
- getAdminConfig().trustLevel === 'high' &&
- config.ignoreScripts !== false
- ) {
+ if (getAdminConfig().allowScripts && config.ignoreScripts !== false) {
cmdOptions = cmdOptions.replace('--ignore-scripts ', '');
lernaCommand = lernaCommand.replace('--ignore-scripts ', '');
}
@@ -96,7 +93,7 @@ export async function generateLockFiles(
},
};
// istanbul ignore if
- if (getAdminConfig().trustLevel === 'high') {
+ if (getAdminConfig().exposeAllEnv) {
execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
}
diff --git a/lib/manager/npm/post-update/npm.ts b/lib/manager/npm/post-update/npm.ts
index 0025d620fe..a11bce3923 100644
--- a/lib/manager/npm/post-update/npm.ts
+++ b/lib/manager/npm/post-update/npm.ts
@@ -71,7 +71,7 @@ export async function generateLockFile(
},
};
// istanbul ignore if
- if (getAdminConfig().trustLevel === 'high') {
+ if (getAdminConfig().exposeAllEnv) {
execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
}
diff --git a/lib/manager/npm/post-update/pnpm.ts b/lib/manager/npm/post-update/pnpm.ts
index 6541a41287..b9842631f9 100644
--- a/lib/manager/npm/post-update/pnpm.ts
+++ b/lib/manager/npm/post-update/pnpm.ts
@@ -50,7 +50,7 @@ export async function generateLockFile(
},
};
// istanbul ignore if
- if (getAdminConfig().trustLevel === 'high') {
+ if (getAdminConfig().exposeAllEnv) {
execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
}
@@ -62,7 +62,7 @@ export async function generateLockFile(
}
cmd = 'pnpm';
let args = 'install --recursive --lockfile-only';
- if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) {
+ if (!getAdminConfig().allowScripts || config.ignoreScripts) {
args += ' --ignore-scripts';
args += ' --ignore-pnpmfile';
}
diff --git a/lib/manager/npm/post-update/yarn.ts b/lib/manager/npm/post-update/yarn.ts
index 34aed8c7cd..5e7d495827 100644
--- a/lib/manager/npm/post-update/yarn.ts
+++ b/lib/manager/npm/post-update/yarn.ts
@@ -102,7 +102,7 @@ export async function generateLockFile(
extraEnv.YARN_ENABLE_IMMUTABLE_INSTALLS = 'false';
extraEnv.YARN_HTTP_TIMEOUT = '100000';
}
- if (getAdminConfig().trustLevel !== 'high' || config.ignoreScripts) {
+ if (!getAdminConfig().allowScripts || config.ignoreScripts) {
if (isYarn1) {
cmdOptions += ' --ignore-scripts';
} else {
@@ -121,7 +121,7 @@ export async function generateLockFile(
},
};
// istanbul ignore if
- if (getAdminConfig().trustLevel === 'high') {
+ if (getAdminConfig().exposeAllEnv) {
execOptions.extraEnv.NPM_AUTH = env.NPM_AUTH;
execOptions.extraEnv.NPM_EMAIL = env.NPM_EMAIL;
}
diff --git a/lib/manager/pip_requirements/extract.spec.ts b/lib/manager/pip_requirements/extract.spec.ts
index 6226ab5fc4..9607c03eeb 100644
--- a/lib/manager/pip_requirements/extract.spec.ts
+++ b/lib/manager/pip_requirements/extract.spec.ts
@@ -129,7 +129,7 @@ describe(getName(__filename), () => {
});
it('should replace env vars in high trust mode', () => {
process.env.PIP_TEST_TOKEN = 'its-a-secret';
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ exposeAllEnv: true });
const res = extractPackageFile(requirements7, 'unused_file_name', {});
expect(res.registryUrls).toEqual([
'https://pypi.org/pypi/',
diff --git a/lib/manager/pip_requirements/extract.ts b/lib/manager/pip_requirements/extract.ts
index 87e2ffaec0..87fc491b41 100644
--- a/lib/manager/pip_requirements/extract.ts
+++ b/lib/manager/pip_requirements/extract.ts
@@ -84,7 +84,7 @@ export function extractPackageFile(
res.registryUrls = registryUrls.map((url) => {
// handle the optional quotes in eg. `--extra-index-url "https://foo.bar"`
const cleaned = url.replace(/^"/, '').replace(/"$/, '');
- if (getAdminConfig().trustLevel !== 'high') {
+ if (!getAdminConfig().exposeAllEnv) {
return cleaned;
}
// interpolate any environment variables
diff --git a/lib/util/exec/env.spec.ts b/lib/util/exec/env.spec.ts
index e3a0eabc25..ebc1c16900 100644
--- a/lib/util/exec/env.spec.ts
+++ b/lib/util/exec/env.spec.ts
@@ -58,7 +58,7 @@ describe('getChildProcess environment when trustlevel set to low', () => {
describe('getChildProcessEnv when trustlevel set to high', () => {
it('returns process.env if trustlevel set to high', () => {
- setAdminConfig({ trustLevel: 'high' });
+ setAdminConfig({ exposeAllEnv: true });
expect(getChildProcessEnv()).toMatchObject(process.env);
});
});
diff --git a/lib/util/exec/env.ts b/lib/util/exec/env.ts
index 38950e4e86..faffd61bf8 100644
--- a/lib/util/exec/env.ts
+++ b/lib/util/exec/env.ts
@@ -17,7 +17,7 @@ export function getChildProcessEnv(
customEnvVars: string[] = []
): NodeJS.ProcessEnv {
const env: NodeJS.ProcessEnv = {};
- if (getAdminConfig().trustLevel === 'high') {
+ if (getAdminConfig().exposeAllEnv) {
return { ...env, ...process.env };
}
const envVars = [...basicEnvVars, ...customEnvVars];
diff --git a/lib/util/exec/exec.spec.ts b/lib/util/exec/exec.spec.ts
index f5a67fbda5..e5db81a628 100644
--- a/lib/util/exec/exec.spec.ts
+++ b/lib/util/exec/exec.spec.ts
@@ -194,7 +194,7 @@ describe(getName(__filename), () => {
maxBuffer: 10485760,
},
],
- adminConfig: { trustLevel: 'high' },
+ adminConfig: { exposeAllEnv: true },
},
],
diff --git a/lib/workers/branch/index.spec.ts b/lib/workers/branch/index.spec.ts
index a38f6cce33..73d6824250 100644
--- a/lib/workers/branch/index.spec.ts
+++ b/lib/workers/branch/index.spec.ts
@@ -736,7 +736,7 @@ describe(getName(__filename), () => {
const adminConfig = {
allowedPostUpgradeCommands: ['^echo {{{versioning}}}$'],
allowPostUpgradeCommandTemplating: true,
- trustLevel: 'high',
+ exposeAllEnv: true,
};
setAdminConfig(adminConfig);
@@ -816,7 +816,7 @@ describe(getName(__filename), () => {
const adminConfig = {
allowedPostUpgradeCommands: ['^exit 1$'],
allowPostUpgradeCommandTemplating: true,
- trustLevel: 'high',
+ exposeAllEnv: true,
};
setAdminConfig(adminConfig);
@@ -885,7 +885,7 @@ describe(getName(__filename), () => {
const adminConfig = {
allowedPostUpgradeCommands: ['^echo {{{versioning}}}$'],
allowPostUpgradeCommandTemplating: false,
- trustLevel: 'high',
+ exposeAllEnv: true,
};
setAdminConfig(adminConfig);
const result = await branchWorker.processBranch({
@@ -965,7 +965,7 @@ describe(getName(__filename), () => {
const adminConfig = {
allowedPostUpgradeCommands: ['^echo {{{depName}}}$'],
allowPostUpgradeCommandTemplating: true,
- trustLevel: 'high',
+ exposeAllEnv: true,
};
setAdminConfig(adminConfig);
--
GitLab