feat: implement local .env and setenv.sh setup to make environment configuration resilient#1298
Conversation
…nfiguration resilient
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces environment variable management using a .env file across several setup scripts (setenv.sh, setup_alloydb.sh, and setup_lab.sh). While this improves configuration persistence, the current method of loading variables using export $(grep -v '^#' ... | xargs) has critical flaws. It can leak sensitive environment variables if the .env file is empty, cause shell crashes under strict error-handling settings (set -e / pipefail), and fail to parse values containing spaces. It is highly recommended to replace this pattern with a robust while read loop as suggested in the feedback.
| if [ -f "$ENV_FILE" ]; then | ||
| echo "Loading environment variables from $ENV_FILE..." | ||
| # Export all non-commented variables from the .env file cleanly | ||
| export $(grep -v '^#' "$ENV_FILE" | xargs) |
There was a problem hiding this comment.
Using export $(grep -v '^#' "$ENV_FILE" | xargs) has several critical issues:
- Information Disclosure / Leakage: If the
.envfile is empty or only contains comments,grepwill produce no output. Runningexportwith no arguments in Bash prints all exported environment variables, which can leak sensitive credentials or tokens to the console/build logs. - Shell Crashes: If the calling shell has
set -eandset -o pipefailenabled, sourcing this script will cause the shell to exit immediately ifgrepreturns a non-zero exit code (which happens when no matches are found, e.g., an empty or comment-only file). - Handling Spaces: This pattern splits on whitespace, which will break if any environment variable value contains spaces.
Using a while read loop is much safer, robust, and handles spaces and empty files correctly without crashing.
| if [ -f "$ENV_FILE" ]; then | |
| echo "Loading environment variables from $ENV_FILE..." | |
| # Export all non-commented variables from the .env file cleanly | |
| export $(grep -v '^#' "$ENV_FILE" | xargs) | |
| if [ -f "$ENV_FILE" ]; then | |
| echo "Loading environment variables from $ENV_FILE..." | |
| while IFS= read -r line || [[ -n "$line" ]]; do | |
| [[ "$line" =~ ^[[:space:]]*# || -z "$line" ]] && continue | |
| export "$line" | |
| done < "$ENV_FILE" | |
| fi |
| if [ -f "$ENV_FILE" ]; then | ||
| echo "Found existing environment file: $ENV_FILE" | ||
| export $(grep -v '^#' "$ENV_FILE" | xargs) | ||
| fi |
There was a problem hiding this comment.
Using export $(grep -v '^#' "$ENV_FILE" | xargs) has several critical issues:
- Information Disclosure / Leakage: If the
.envfile is empty or only contains comments,grepwill produce no output. Runningexportwith no arguments in Bash prints all exported environment variables, which can leak sensitive credentials or tokens to the console/build logs. - Shell Crashes: Since
set -eis enabled in this script, ifgrepreturns a non-zero exit code (which happens when no matches are found, e.g., an empty or comment-only file), the script may crash depending on shell settings. - Handling Spaces: This pattern splits on whitespace, which will break if any environment variable value contains spaces.
Using a while read loop is much safer, robust, and handles spaces and empty files correctly without crashing.
| if [ -f "$ENV_FILE" ]; then | |
| echo "Found existing environment file: $ENV_FILE" | |
| export $(grep -v '^#' "$ENV_FILE" | xargs) | |
| fi | |
| if [ -f "$ENV_FILE" ]; then | |
| echo "Found existing environment file: $ENV_FILE" | |
| while IFS= read -r line || [[ -n "$line" ]]; do | |
| [[ "$line" =~ ^[[:space:]]*# || -z "$line" ]] && continue | |
| export "$line" | |
| done < "$ENV_FILE" | |
| fi |
| if [ -f "$ENV_FILE" ]; then | ||
| echo "Loading environment variables from $ENV_FILE..." | ||
| export $(grep -v '^#' "$ENV_FILE" | xargs) | ||
| fi |
There was a problem hiding this comment.
Using export $(grep -v '^#' "$ENV_FILE" | xargs) has several critical issues:
- Information Disclosure / Leakage: If the
.envfile is empty or only contains comments,grepwill produce no output. Runningexportwith no arguments in Bash prints all exported environment variables, which can leak sensitive credentials or tokens to the console/build logs. - Shell Crashes: Since
set -euo pipefailis enabled in this script, ifgrepreturns a non-zero exit code (which happens when no matches are found, e.g., an empty or comment-only file), the pipeline will fail and the script will crash immediately. - Handling Spaces: This pattern splits on whitespace, which will break if any environment variable value contains spaces.
Using a while read loop is much safer, robust, and handles spaces and empty files correctly without crashing.
| if [ -f "$ENV_FILE" ]; then | |
| echo "Loading environment variables from $ENV_FILE..." | |
| export $(grep -v '^#' "$ENV_FILE" | xargs) | |
| fi | |
| if [ -f "$ENV_FILE" ]; then | |
| echo "Loading environment variables from $ENV_FILE..." | |
| while IFS= read -r line || [[ -n "$line" ]]; do | |
| [[ "$line" =~ ^[[:space:]]*# || -z "$line" ]] && continue | |
| export "$line" | |
| done < "$ENV_FILE" | |
| fi |
1 participant
No description provided.