Skip to content

Strip all CODER_ environment variables from provisioner #4635

Closed
@ammario

Description

@ammario

Right now, Coder passes all of its environment variables into the provisioner. A malicious template could use this behavior to exfiltrate CODER_PG_CONNECTION_URL and "root" Coder. To be safe in perpetuity, we should just strip all CODER_ environment variables.

Metadata

Metadata

Assignees

Labels

s0Major regression, all-hands-on-deck to fixsecurityArea: security

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions