Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cabal 3.14.1.0 invokes test binaries with a corrupt (duplicated) environment variable list #10718

Open
Rufflewind opened this issue Jan 6, 2025 · 2 comments
Open

Cabal 3.14.1.0 invokes test binaries with a corrupt (duplicated) environment variable list #10718

Rufflewind opened this issue Jan 6, 2025 · 2 comments
Labels
regression in 3.14 type: bug

Comments

@Rufflewind
Copy link
Member

Describe the bug

cabal 3.14.1.0 invokes test binaries with with an invalid environment variable list that contains duplicate entries.

As documented by POSIX: https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/V1_chap08.html

If more than one string in an environment of a process has the same name, the consequences are undefined.

This is causing the directory CI tests to fail: https://github.com/haskell/directory/actions/runs/12595046406

The bug is not found in cabal 3.12.1.0.

To Reproduce

-- Main.hs
module Main where
import Data.List (sort)
import System.Environment (getEnvironment)
main = print =<< fmap sort getEnvironment
-- foo.cabal
cabal-version:      3.0
name:               foo
version:            0.1.0.0
build-type:         Simple

test-suite test
    build-depends:    base
    default-language: Haskell2010
    main-is:          Main.hs
    type:             exitcode-stdio-1.0
$ cabal test

Actual output

[("COLORTERM","truecolor"),("COLORTERM","truecolor"),("DBUS_SESSION_BUS_ADDRESS",...),("DBUS_SESSION_BUS_ADDRESS",...),...

Expected behavior

There should not be any duplicates, i.e.

[("COLORTERM","truecolor"),("DBUS_SESSION_BUS_ADDRESS",...),...

System information

  • Operating system: Tested on Ubuntu (Github Actions) + WSL Debian
  • Reproducible on cabal 3.14.1.0. Not reproducible on cabal 3.12.1.0.
  • Reproducible on several GHC versions.
Rufflewind added a commit to Rufflewind/directory that referenced this issue Jan 6, 2025
@Rufflewind
Pin Cabal to 3.12.10 until upstream bug is fixed
79b8d13 
haskell/cabal#10718 breaks the tests.
@ulysses4ever
Copy link
Collaborator

Hey! Thanks for the report! Presumably, this issue doesn't lead to a failure in any case, does it? I'm asking because it'd be good to understand how severe it is. On the surface it looks rather benign to me.

@Rufflewind
Copy link
Member Author

Rufflewind commented Jan 6, 2025
edited
Loading

It may cause uses of environment variables in tests to behave incorrectly. In the theoretical worst-case scenario, it could lead to security risks, e.g.

The severity of this issue in practice is unclear. The most probable scenario I can think of is that a fragile piece of code that scrubs sensitive data out of environment variables could misbehave due to the duplication, causing credentials to get leaked through, say, logs. A bit of a stretch but not impossible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
regression in 3.14 type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rufflewind @ulysses4ever