Skip to content

feat(env): add source_os method for safe Unicode env handling #683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat(env): add source_os method for safe Unicode env handling #683

wants to merge 1 commit into from

Conversation

gustavovalverde
Copy link

Problem

The current Environment::source() method has critical limitations:

  1. Unicode Panics: Using env::vars() panics on invalid Unicode
  2. Race Conditions: TOCTOU vulnerability when filtering environment variables
  3. API Limitation: Only supports Map<String, String>, blocking OS path handling

This was originally identified by @str4d

More context: https://github.com/zcash/wallet/pull/194/files#r2288154972

Solution

Add source_os() method that accepts Map<OsString, OsString>:

  • Uses env::vars_os() internally for safe Unicode handling
  • Eliminates race conditions with atomic snapshots
  • Maintains full backward compatibility
  • Takes precedence over source() when both are set

Example Usage

// Safe filtering without Unicode panics or race conditions
let mut filtered_env = Map::new();
for (key, value) in env::vars_os() {
    if let Some(key_str) = key.to_str() {
        if key_str.starts_with("PREFIX_") && !is_sensitive(key_str) {
            filtered_env.insert(key, value);
        }
    }
}

Environment::with_prefix("PREFIX").source_os(Some(filtered_env))

Tests

  • All existing tests pass (148/148)
  • New Unicode safety tests added
  • Precedence behavior tested
  • Example with real-world usage included

@gustavovalverde
feat(env): add source_os method for safe Unicode handling
a22e03f 
- Add os_source field to Environment struct
- Add source_os() method accepting Map<OsString, OsString>
- Prioritize os_source over source for safer Unicode handling
- Prevents panics on invalid Unicode environment variables
- Eliminates race conditions in environment filtering
- Add tests for Unicode handling in environment variables
- Add safe environment filtering example
@epage
Copy link
Contributor

epage commented Aug 21, 2025

Looking over the points of the PR, I'm not seeing a reason to continue forward with this.

If there is something I missed, please open an Issue per distinct concern as our contributing guide asks.

Unicode Panics: Using env::vars() panics on invalid Unicode

No, it doesn't

Race Conditions: TOCTOU vulnerability when filtering environment variables

What is the justification for this?

API Limitation: Only supports Map<String, String>, blocking OS path handling

This whole library has this limitation

@epage epage closed this Aug 21, 2025
gustavovalverde added a commit to gustavovalverde/wallet that referenced this pull request Aug 21, 2025
@gustavovalverde
feat(config): add SafeEnvironment source for safe Unicode handling
45fef6c 
Add temporary SafeEnvironment source to resolve Unicode panics and race
conditions in environment variable filtering while awaiting upstream
config-rs fix for OsString support

- Prevents env::vars() Unicode panics using env::vars_os()
- Eliminates race conditions with atomic environment snapshots
- Maintains sensitive key filtering functionality
- Implements config::Source trait for full compatibility
- Includes comprehensive tests and documentation

References:
- https://github.com/zcash/wallet/pull/194/files#r2288154972
- rust-cli/config-rs#683
@gustavovalverde gustavovalverde mentioned this pull request Aug 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gustavovalverde @epage