Hide sensitive tokens from install/test/post.

Hide these tokens to avoid malicious subprocesses e.g. sending them
over the network. Also, support using these tokens with environment
filtering and clear `HOMEBREW_PATH` from subprocesses to stop them
sniffing it. Finally, use `HOMEBREW_PATH` to detect Homebrew’s user’s
PATH for e.g. `brew doctor` etc.

9 files changed, 48 insertions, 14 deletions

diff --git a/Library/Homebrew/dev-cmd/mirror.rb b/Library/Homebrew/dev-cmd/mirror.rb
index 10811493c..e2492203d 100644
--- a/Library/Homebrew/dev-cmd/mirror.rb
+++ b/Library/Homebrew/dev-cmd/mirror.rb
@@ -8,10 +8,10 @@ module Homebrew
   def mirror
     odie "This command requires at least formula argument!" if ARGV.named.empty?
 
-    bintray_user = ENV["BINTRAY_USER"]
-    bintray_key = ENV["BINTRAY_KEY"]
+    bintray_user = ENV["HOMEBREW_BINTRAY_USER"]
+    bintray_key = ENV["HOMEBREW_BINTRAY_KEY"]
     if !bintray_user || !bintray_key
-      raise "Missing BINTRAY_USER or BINTRAY_KEY variables!"
+      raise "Missing HOMEBREW_BINTRAY_USER or HOMEBREW_BINTRAY_KEY variables!"
     end
 
     ARGV.formulae.each do |f|
diff --git a/Library/Homebrew/dev-cmd/pull.rb b/Library/Homebrew/dev-cmd/pull.rb
index 36c9ac27c..0616b990b 100644
--- a/Library/Homebrew/dev-cmd/pull.rb
+++ b/Library/Homebrew/dev-cmd/pull.rb
@@ -263,7 +263,7 @@ module Homebrew
     end
 
     published = []
-    bintray_creds = { user: ENV["BINTRAY_USER"], key: ENV["BINTRAY_KEY"] }
+    bintray_creds = { user: ENV["HOMEBREW_BINTRAY_USER"], key: ENV["HOMEBREW_BINTRAY_KEY"] }
     if bintray_creds[:user] && bintray_creds[:key]
       changed_formulae_names.each do |name|
         f = Formula[name]
@@ -272,7 +272,7 @@ module Homebrew
         published << f.full_name
       end
     else
-      opoo "You must set BINTRAY_USER and BINTRAY_KEY to add or update bottles on Bintray!"
+      opoo "You must set HOMEBREW_BINTRAY_USER and HOMEBREW_BINTRAY_KEY to add or update bottles on Bintray!"
     end
     published
   end
diff --git a/Library/Homebrew/diagnostic.rb b/Library/Homebrew/diagnostic.rb
index 61cdf2f1a..28b57579b 100644
--- a/Library/Homebrew/diagnostic.rb
+++ b/Library/Homebrew/diagnostic.rb
@@ -439,7 +439,7 @@ module Homebrew
 
         message = ""
 
-        paths.each do |p|
+        paths(ENV["HOMEBREW_PATH"]).each do |p|
           case p
           when "/usr/bin"
             unless $seen_prefix_bin
@@ -609,7 +609,7 @@ module Homebrew
           /Applications/Server.app/Contents/ServerRoot/usr/sbin
         ].map(&:downcase)
 
-        paths.each do |p|
+        paths(ENV["HOMEBREW_PATH"]).each do |p|
           next if whitelist.include?(p.downcase) || !File.directory?(p)
 
           realpath = Pathname.new(p).realpath.to_s
diff --git a/Library/Homebrew/extend/ENV.rb b/Library/Homebrew/extend/ENV.rb
index 729598e28..283e90b69 100644
--- a/Library/Homebrew/extend/ENV.rb
+++ b/Library/Homebrew/extend/ENV.rb
@@ -26,6 +26,13 @@ module EnvActivation
   ensure
     replace(old_env)
   end
+
+  def clear_sensitive_environment!
+    ENV.keys.each do |key|
+      next unless /(cookie|key|token)/i =~ key
+      ENV.delete key
+    end
+  end
 end
 
 ENV.extend(EnvActivation)
diff --git a/Library/Homebrew/formula.rb b/Library/Homebrew/formula.rb
index 523de244d..868149a05 100644
--- a/Library/Homebrew/formula.rb
+++ b/Library/Homebrew/formula.rb
@@ -13,6 +13,7 @@ require "pkg_version"
 require "tap"
 require "keg"
 require "migrator"
+require "extend/ENV"
 
 # A formula provides instructions and metadata for Homebrew to install a piece
 # of software. Every Homebrew formula is a {Formula}.
@@ -1013,10 +1014,17 @@ class Formula
     @prefix_returns_versioned_prefix = true
     build = self.build
     self.build = Tab.for_formula(self)
+
     old_tmpdir = ENV["TMPDIR"]
     old_temp = ENV["TEMP"]
     old_tmp = ENV["TMP"]
+    old_path = ENV["HOMEBREW_PATH"]
+
     ENV["TMPDIR"] = ENV["TEMP"] = ENV["TMP"] = HOMEBREW_TEMP
+    ENV["HOMEBREW_PATH"] = nil
+
+    ENV.clear_sensitive_environment!
+
     with_logging("post_install") do
       post_install
     end
@@ -1025,6 +1033,7 @@ class Formula
     ENV["TMPDIR"] = old_tmpdir
     ENV["TEMP"] = old_temp
     ENV["TMP"] = old_tmp
+    ENV["HOMEBREW_PATH"] = old_path
     @prefix_returns_versioned_prefix = false
   end
 
@@ -1664,9 +1673,15 @@ class Formula
     old_temp = ENV["TEMP"]
     old_tmp = ENV["TMP"]
     old_term = ENV["TERM"]
+    old_path = ENV["HOMEBREW_PATH"]
+
     ENV["CURL_HOME"] = old_curl_home || old_home
     ENV["TMPDIR"] = ENV["TEMP"] = ENV["TMP"] = HOMEBREW_TEMP
     ENV["TERM"] = "dumb"
+    ENV["HOMEBREW_PATH"] = nil
+
+    ENV.clear_sensitive_environment!
+
     mktemp("#{name}-test") do |staging|
       staging.retain! if ARGV.keep_tmp?
       @testpath = staging.tmpdir
@@ -1689,6 +1704,7 @@ class Formula
     ENV["TEMP"] = old_temp
     ENV["TMP"] = old_tmp
     ENV["TERM"] = old_term
+    ENV["HOMEBREW_PATH"] = old_path
     @prefix_returns_versioned_prefix = false
   end
 
@@ -1925,17 +1941,24 @@ class Formula
       mkdir_p env_home
 
       old_home = ENV["HOME"]
-      ENV["HOME"] = env_home
       old_curl_home = ENV["CURL_HOME"]
+      old_path = ENV["HOMEBREW_PATH"]
+
+      ENV["HOME"] = env_home
       ENV["CURL_HOME"] = old_curl_home || old_home
+      ENV["HOMEBREW_PATH"] = nil
+
       setup_home env_home
 
+      ENV.clear_sensitive_environment!
+
       begin
         yield staging
       ensure
         @buildpath = nil
         ENV["HOME"] = old_home
         ENV["CURL_HOME"] = old_curl_home
+        ENV["HOMEBREW_PATH"] = old_path
       end
     end
   end
diff --git a/Library/Homebrew/global.rb b/Library/Homebrew/global.rb
index 391f5b012..8726fa1a4 100644
--- a/Library/Homebrew/global.rb
+++ b/Library/Homebrew/global.rb
@@ -53,7 +53,7 @@ HOMEBREW_PULL_OR_COMMIT_URL_REGEX = %r[https://github\.com/([\w-]+)/([\w-]+)?/(?
 
 require "compat" unless ARGV.include?("--no-compat") || ENV["HOMEBREW_NO_COMPAT"]
 
-ORIGINAL_PATHS = ENV["PATH"].split(File::PATH_SEPARATOR).map do |p|
+ORIGINAL_PATHS = ENV["HOMEBREW_PATH"].split(File::PATH_SEPARATOR).map do |p|
   begin
     Pathname.new(p).expand_path
   rescue
diff --git a/Library/Homebrew/test/diagnostic_spec.rb b/Library/Homebrew/test/diagnostic_spec.rb
index c2bcdb9c0..6e2c09268 100644
--- a/Library/Homebrew/test/diagnostic_spec.rb
+++ b/Library/Homebrew/test/diagnostic_spec.rb
@@ -122,8 +122,9 @@ describe Homebrew::Diagnostic::Checks do
   specify "#check_user_path_3" do
     begin
       sbin = HOMEBREW_PREFIX/"sbin"
-      ENV["PATH"] = "#{HOMEBREW_PREFIX}/bin#{File::PATH_SEPARATOR}" +
-                    ENV["PATH"].gsub(/(?:^|#{Regexp.escape(File::PATH_SEPARATOR)})#{Regexp.escape(sbin)}/, "")
+      ENV["HOMEBREW_PATH"] =
+        "#{HOMEBREW_PREFIX}/bin#{File::PATH_SEPARATOR}" +
+        ENV["HOMEBREW_PATH"].gsub(/(?:^|#{Regexp.escape(File::PATH_SEPARATOR)})#{Regexp.escape(sbin)}/, "")
       (sbin/"something").mkpath
 
       expect(subject.check_user_path_1).to be nil
@@ -149,7 +150,9 @@ describe Homebrew::Diagnostic::Checks do
       file = "#{path}/foo-config"
       FileUtils.touch file
       FileUtils.chmod 0755, file
-      ENV["PATH"] = "#{path}#{File::PATH_SEPARATOR}#{ENV["PATH"]}"
+      ENV["HOMEBREW_PATH"] =
+        ENV["PATH"] =
+          "#{path}#{File::PATH_SEPARATOR}#{ENV["PATH"]}"
 
       expect(subject.check_for_config_scripts)
         .to match('"config" scripts exist')
diff --git a/Library/Homebrew/test/support/helper/spec/shared_context/integration_test.rb b/Library/Homebrew/test/support/helper/spec/shared_context/integration_test.rb
index b037068d2..ae1854f58 100644
--- a/Library/Homebrew/test/support/helper/spec/shared_context/integration_test.rb
+++ b/Library/Homebrew/test/support/helper/spec/shared_context/integration_test.rb
@@ -72,6 +72,7 @@ RSpec.shared_context "integration test" do
 
     env.merge!(
       "PATH" => path,
+      "HOMEBREW_PATH" => path,
       "HOMEBREW_BREW_FILE" => HOMEBREW_PREFIX/"bin/brew",
       "HOMEBREW_INTEGRATION_TEST" => command_id_from_args(args),
       "HOMEBREW_TEST_TMPDIR" => TEST_TMPDIR,
diff --git a/Library/Homebrew/utils.rb b/Library/Homebrew/utils.rb
index 7a14916e1..016b0a56f 100644
--- a/Library/Homebrew/utils.rb
+++ b/Library/Homebrew/utils.rb
@@ -406,8 +406,8 @@ def nostdout
   end
 end
 
-def paths
-  @paths ||= ENV["PATH"].split(File::PATH_SEPARATOR).collect do |p|
+def paths(env_path = ENV["PATH"])
+  @paths ||= env_path.split(File::PATH_SEPARATOR).collect do |p|
     begin
       File.expand_path(p).chomp("/")
     rescue ArgumentError