improve flexibility of limactl shell cmd

Signed-off-by: olalekan odukoya <[email protected]>

Author: olamilekan000

hack/bats/tests/preserve-env.bats

@@ -93,13 +93,13 @@ local_setup() {
     assert_line BAR=bar
 }
 
-@test 'wildcard does only work at the end of the pattern' {
+@test 'wildcard works at the start of the pattern' {
     export LIMA_SHELLENV_BLOCK="*FOO"
     export FOO=foo
     export BARFOO=barfoo
     run -0 limactl shell --preserve-env "$NAME" printenv
-    assert_line FOO=foo
-    assert_line BARFOO=barfoo
+    refute_line --regexp '^BARFOO='
+    refute_line --regexp '^FOO='
 }
 
 @test 'block list can use a , separated list with whitespace ignored' {
@@ -114,16 +114,6 @@ local_setup() {
     assert_line BARBAZ=barbaz
 }
 
-@test 'allow list overrides block list but blocks everything else' {
-    export LIMA_SHELLENV_ALLOW=SSH_FOO
-    export SSH_FOO=ssh_foo
-    export SSH_BAR=ssh_bar
-    export BAR=bar
-    run -0 limactl shell --preserve-env "$NAME" printenv
-    assert_line SSH_FOO=ssh_foo
-    refute_line --regexp '^SSH_BAR='
-    refute_line --regexp '^BAR='
-}
 
 @test 'allow list can use a , separated list with whitespace ignored' {
     export LIMA_SHELLENV_ALLOW="FOO*, , BAR"
@@ -135,16 +125,174 @@ local_setup() {
     assert_line FOO=foo
     assert_line FOOBAR=foobar
     assert_line BAR=bar
-    refute_line --regexp '^BARBAZ='
+    assert_line BARBAZ=barbaz
 }
 
-@test 'setting both allow list and block list generates a warning' {
-    export LIMA_SHELLENV_ALLOW=FOO
-    export LIMA_SHELLENV_BLOCK=BAR
+@test 'wildcard works in the middle of the pattern' {
+    export LIMA_SHELLENV_BLOCK="FOO*BAR"
     export FOO=foo
-    run -0 --separate-stderr limactl shell --preserve-env "$NAME" printenv FOO
-    assert_output foo
-    assert_stderr --regexp 'level=warning msg="Both LIMA_SHELLENV_BLOCK and LIMA_SHELLENV_ALLOW are set'
+    export FOOBAR=foobar
+    export FOOXYZBAR=fooxyzbar
+    export FOOBAZ=foobaz
+    export BAZBAR=bazbar
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    refute_line --regexp '^FOOBAR='
+    refute_line --regexp '^FOOXYZBAR='
+    assert_line FOO=foo
+    assert_line FOOBAZ=foobaz
+    assert_line BAZBAR=bazbar
+}
+
+@test 'multiple wildcards work in complex patterns' {
+    export LIMA_SHELLENV_BLOCK="*FOO*BAR*"
+    export FOO=foo
+    export BAR=bar
+    export FOOBAR=foobar
+    export XFOOYBARZDOTCOM=xfooybarzdotcom
+    export FOOBAZ=foobaz
+    export BAZBAR=bazbar
+    export UNRELATED=unrelated
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    refute_line --regexp '^FOOBAR='
+    refute_line --regexp '^XFOOYBARZDOTCOM='
+    assert_line FOO=foo
+    assert_line BAR=bar
+    assert_line FOOBAZ=foobaz
+    assert_line BAZBAR=bazbar
+    assert_line UNRELATED=unrelated
+}
+
+@test 'wildcards at beginning, middle, and end all work together' {
+    export LIMA_SHELLENV_BLOCK="*TEST*,FOO*BAR,*SUFFIX"
+    export PREFIX_TEST_VAR=prefix_test_var
+    export FOOBAR=foobar
+    export FOOXYZBAR=fooxyzbar
+    export VAR_SUFFIX=var_suffix
+    export NORMAL_VAR=normal_var
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    refute_line --regexp '^PREFIX_TEST_VAR='
+    refute_line --regexp '^FOOBAR='
+    refute_line --regexp '^FOOXYZBAR='
+    refute_line --regexp '^VAR_SUFFIX='
+    assert_line NORMAL_VAR=normal_var
+}
+
+@test 'complex allow/block interaction with default block list' {
+    export LIMA_SHELLENV_ALLOW="SSH_FOO,CUSTOM*"
+    export LIMA_SHELLENV_BLOCK="+*TOKEN"
+    export SSH_FOO=ssh_foo                 
+    export SSH_BAR=ssh_bar                 
+    export CUSTOM_VAR=custom_var         
+    export MY_TOKEN=my_token               
+    export NORMAL_VAR=normal_var        
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    assert_line SSH_FOO=ssh_foo            
+    refute_line --regexp '^SSH_BAR='       
+    assert_line CUSTOM_VAR=custom_var     
+    refute_line --regexp '^MY_TOKEN='     
+    assert_line NORMAL_VAR=normal_var     
+}
+
+@test 'allow list with * block list blocks everything not explicitly allowed' {
+    export LIMA_SHELLENV_ALLOW="FOO,BAR*"
+    export LIMA_SHELLENV_BLOCK="*"        
+    export FOO=foo
+    export BAR=bar
+    export BARBAZ=barbaz
+    export OTHER_VAR=other_var
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    assert_line FOO=foo                    
+    assert_line BAR=bar                    
+    assert_line BARBAZ=barbaz             
+    refute_line --regexp '^OTHER_VAR='
+}
+
+@test 'allow list supports wildcards in all positions' {
+    export LIMA_SHELLENV_ALLOW="*PREFIX,MIDDLE*PATTERN,SUFFIX*"
+    export LIMA_SHELLENV_BLOCK="*"        
+    export TEST_PREFIX=test_prefix
+    export MIDDLE_TEST_PATTERN=middle_test_pattern
+    export SUFFIX_TEST=suffix_test
+    export OTHER=other
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    assert_line TEST_PREFIX=test_prefix
+    assert_line MIDDLE_TEST_PATTERN=middle_test_pattern
+    assert_line SUFFIX_TEST=suffix_test
+    refute_line --regexp '^OTHER='
+}
+
+@test 'invalid characters in patterns cause fatal errors' {
+    export LIMA_SHELLENV_BLOCK="FOO-BAR" 
+    run ! limactl shell --preserve-env "$NAME" printenv
+    assert_output --partial "Invalid LIMA_SHELLENV_BLOCK pattern"
+    assert_output --partial "contains invalid character"
+}
+
+@test 'allow list with wildcards allows only matching patterns' {
+    export LIMA_SHELLENV_ALLOW="FOO*,BAR"
+    export FOO=foo
+    export FOOBAR=foobar
+    export BAR=bar
+    export BARBAZ=barbaz
+    export OTHER_VAR=OTHER_VAR
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    assert_line FOO=foo                   
+    assert_line FOOBAR=foobar             
+    assert_line BAR=bar                  
+    assert_line BARBAZ=barbaz                  
+    assert_line OTHER_VAR=OTHER_VAR                  
+}
+
+@test 'allow list overrides block list entries but block list still applies to others' {
+    export LIMA_SHELLENV_BLOCK="FOO,*TOKEN"
+    export FOO=foo
+    export MY_TOKEN=my_token
+    export SECRET_TOKEN=secret_token
+    export OTHER_VAR=other_var
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    refute_line --regexp '^FOO='     
+    refute_line --regexp '^MY_TOKEN='     
+    refute_line --regexp '^SECRET_TOKEN=' 
+    assert_line OTHER_VAR=other_var       
+}
+
+@test 'allow/block interaction with default block list' {
+    export LIMA_SHELLENV_ALLOW="SSH_FOO,CUSTOM*"
+    export LIMA_SHELLENV_BLOCK="+*TOKEN"   
+    export SSH_FOO=ssh_foo                
+    export SSH_BAR=ssh_bar                
+    export CUSTOM_VAR=custom_var          
+    export MY_TOKEN=my_token              
+    export NORMAL_VAR=normal_var          
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    assert_line SSH_FOO=ssh_foo           
+    refute_line --regexp '^SSH_BAR='      
+    assert_line CUSTOM_VAR=custom_var     
+    refute_line --regexp '^MY_TOKEN='     
+    assert_line NORMAL_VAR=normal_var     
+}
+
+@test 'universal block list blocks everything' {
+    export LIMA_SHELLENV_BLOCK="*"
+    export FOO=foo
+    export BAR=bar
+    export OTHER_VAR=other_var
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    refute_line --regexp '^FOO='
+    refute_line --regexp '^BAR='
+    refute_line --regexp '^OTHER_VAR='
+}
+
+@test 'universal block list blocks everything but with an allow' {
+    export LIMA_SHELLENV_BLOCK="*"
+    export LIMA_SHELLENV_ALLOW="FOO*"
+    export FOO=foo
+    export BAR=bar
+    export OTHER_VAR=other_var
+    run -0 limactl shell --preserve-env "$NAME" printenv
+    assert_line FOO=foo
+    refute_line --regexp '^BAR='
+    refute_line --regexp '^OTHER_VAR='
 }
 
 @test 'limactl info includes the default block list' {

hack/test-preserve-env.sh

@@ -80,15 +80,4 @@ if [ "$got_allowed" != "$allow_test_value" ]; then
 	exit 1
 fi
 
-# Non-allowed variables are blocked when LIMA_SHELLENV_ALLOW is set
-INFO "=== Non-allowed variables are blocked when LIMA_SHELLENV_ALLOW is set ==="
-other_test_var="LIMA_TEST_OTHER_VAR"
-other_test_value="should-be-blocked"
-got_other="$(LIMA_SHELLENV_ALLOW="LIMA_TEST_ALLOW_*" LIMA_TEST_OTHER_VAR="$other_test_value" limactl shell --preserve-env "$NAME" printenv "$other_test_var" 2>/dev/null || echo "NOT_FOUND")"
-INFO "$other_test_var with LIMA_SHELLENV_ALLOW (should be blocked): got=${got_other}"
-if [ "$got_other" != "NOT_FOUND" ]; then
-	ERROR "Non-allowed environment variable was propagated when LIMA_SHELLENV_ALLOW was set"
-	exit 1
-fi
-
 INFO "All --preserve-env tests passed"

pkg/envutil/envutil.go

@@ -4,7 +4,9 @@
 package envutil
 
 import (
+	"fmt"
 	"os"
+	"regexp"
 	"slices"
 	"strings"
 
@@ -39,30 +41,58 @@ var defaultBlockList = []string{
 	"XDG_*",
 	"ZDOTDIR",
 	"ZSH*",
+	"*PASSWORD*",
+	"*TOKEN*",
+	"*SECRET*",
 	"_*", // Variables starting with underscore are typically internal
 }
 
+func validatePattern(pattern string) error {
+	invalidChar := regexp.MustCompile(`([^a-zA-Z0-9_*])`)
+	if matches := invalidChar.FindStringSubmatch(pattern); matches != nil {
+		invalidCharacter := matches[1]
+		pos := strings.Index(pattern, invalidCharacter)
+		return fmt.Errorf("pattern %q contains invalid character %q at position %d",
+			pattern, invalidCharacter, pos)
+	}
+	return nil
+}
+
 // getBlockList returns the list of environment variable patterns to be blocked.
-// The second return value indicates whether the list was explicitly set via LIMA_SHELLENV_BLOCK.
-func getBlockList() ([]string, bool) {
+func getBlockList() []string {
 	blockEnv := os.Getenv("LIMA_SHELLENV_BLOCK")
 	if blockEnv == "" {
-		return defaultBlockList, false
+		return defaultBlockList
+	}
+
+	shouldAppend := strings.HasPrefix(blockEnv, "+")
+	patterns := parseEnvList(strings.TrimPrefix(blockEnv, "+"))
+
+	for _, pattern := range patterns {
+		if err := validatePattern(pattern); err != nil {
+			logrus.Fatalf("Invalid LIMA_SHELLENV_BLOCK pattern: %v", err)
+		}
 	}
-	after, found := strings.CutPrefix(blockEnv, "+")
-	if !found {
-		return parseEnvList(blockEnv), true
+
+	if shouldAppend {
+		return slices.Concat(defaultBlockList, patterns)
 	}
-	return slices.Concat(defaultBlockList, parseEnvList(after)), true
+	return patterns
 }
 
 // getAllowList returns the list of environment variable patterns to be allowed.
-// The second return value indicates whether the list was explicitly set via LIMA_SHELLENV_ALLOW.
-func getAllowList() ([]string, bool) {
+func getAllowList() []string {
 	if allowEnv := os.Getenv("LIMA_SHELLENV_ALLOW"); allowEnv != "" {
-		return parseEnvList(allowEnv), true
+		patterns := parseEnvList(allowEnv)
+
+		for _, pattern := range patterns {
+			if err := validatePattern(pattern); err != nil {
+				logrus.Fatalf("Invalid LIMA_SHELLENV_ALLOW pattern: %v", err)
+			}
+		}
+		return patterns
 	}
-	return nil, false
+	return nil
 }
 
 func parseEnvList(envList string) []string {
@@ -82,8 +112,14 @@ func matchesPattern(name, pattern string) bool {
 		return true
 	}
 
-	prefix, found := strings.CutSuffix(pattern, "*")
-	return found && strings.HasPrefix(name, prefix)
+	regexPattern := strings.ReplaceAll(pattern, "*", ".*")
+	regexPattern = "^" + regexPattern + "$"
+
+	match, err := regexp.MatchString(regexPattern, name)
+	if err != nil {
+		return false
+	}
+	return match
 }
 
 func matchesAnyPattern(name string, patterns []string) bool {
@@ -96,17 +132,10 @@ func matchesAnyPattern(name string, patterns []string) bool {
 // It returns a slice of environment variables that are not blocked by the current configuration.
 // The filtering is controlled by LIMA_SHELLENV_BLOCK and LIMA_SHELLENV_ALLOW environment variables.
 func FilterEnvironment() []string {
-	allowList, isAllowListSet := getAllowList()
-	blockList, isBlockListSet := getBlockList()
-
-	if isBlockListSet && isAllowListSet {
-		logrus.Warn("Both LIMA_SHELLENV_BLOCK and LIMA_SHELLENV_ALLOW are set. Block list will be ignored.")
-		blockList = nil
-	}
 	return filterEnvironmentWithLists(
 		os.Environ(),
-		allowList,
-		blockList,
+		getAllowList(),
+		getBlockList(),
 	)
 }
 
@@ -121,10 +150,7 @@ func filterEnvironmentWithLists(env, allowList, blockList []string) []string {
 
 		name := parts[0]
 
-		if len(allowList) > 0 {
-			if !matchesAnyPattern(name, allowList) {
-				continue
-			}
+		if len(allowList) > 0 && matchesAnyPattern(name, allowList) {
 			filtered = append(filtered, envVar)
 			continue
 		}