Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CONFIG_FORCE_: Environment variables appear twice in Configuration #684

Closed
GMShuhr opened this issue May 4, 2020 · 1 comment
Closed

CONFIG_FORCE_: Environment variables appear twice in Configuration #684

GMShuhr opened this issue May 4, 2020 · 1 comment

Comments

@GMShuhr
Copy link

GMShuhr commented May 4, 2020

(This issue is a copy of Play Issue 10206 but was opened here again, since it is not really a Play issue)

Config Version:

1.4.0 (according to the JAR file name)

Play Version

2.8.1

API

Scala 2.12.8

Operating System

MacOS 10.15.4

JDK

java version "1.8.0_171"
Java(TM) SE Runtime Environment (build 1.8.0_171-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.171-b11, mixed mode)

Expected Behavior

  1. Define an environment variable (e.g. CONFIG_FORCE_dummy_foo_bar=1) on the command line according to the naming scheme described in the systemEnvironmentOverrides Javadoc
  2. Start sbt from command line with the option -Dconfig.override_with_env_vars=true to enable system environment overrides
  3. In the running application, get the Configuration object (e.g. by dependency injection)
  4. The entry "dummy.foo.bar" with value "1" should be found in the Configuration object.
  5. The entry "CONFIG_FORCE_dummy_foo_bar" (i.e. the original name of the environment variable) should NOT be found in the configuration.

Actual Behavior

  1. Define an environment variable (e.g. CONFIG_FORCE_dummy_foo_bar=1) on the command line according to the naming scheme described in the systemEnvironmentOverrides Javadoc
  2. Start sbt from command line with the option -Dconfig.override_with_env_vars=true to enable system environment overrides
  3. In the running application, get the Configuration object (e.g. by dependency injection)
  4. The entry "dummy.foo.bar" with value "1" is found in the Configuration object.
  5. The entry "CONFIG_FORCE_dummy_foo_bar" (i.e. the original name of the environment variable) with the same value IS ALSO found in the Configuration object.
  6. Also any other environment variable existing at startup time whether it starts with "CONFIG_FORCE_" or not is found in the Configuration object.

The appearance of unwanted values in the Configuration object can lead to all kinds of problems, starting with name collisions and security and privacy issues.

The cause of the problem seems to be the implementation of com.typesafe.config.impl.ConfigImpl.loadEnvVariablesOverrides():

The "result" map gets initialized with all the original environment variables

Map<String, String> result = new HashMap(System.getenv());

It should instead be initialized to an empty map and only be filled by the loop following in the code.
@GMShuhr GMShuhr mentioned this issue May 4, 2020
Closed
@andreaTP andreaTP mentioned this issue May 7, 2020
Merged
@extbe extbe mentioned this issue Sep 18, 2020
Closed
@mkurz
Copy link

mkurz commented Sep 18, 2020

@havocp This issue can be closed, it was fixed in #686 already.

@havocp havocp closed this as completed Sep 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@havocp @mkurz @GMShuhr