Sanitize environment before starting backend processes (rclone, ssh)

The restic security model includes full trust of the local machine, so this should not fix any actual security problems, but it's better to be safe than sorry. Fixes #2192.
2025-08-23 04:07:25 +00:00 · 2020-10-03 13:27:23 +02:00
parent 4875f7b659
commit 11fbaaae9a
5 changed files with 67 additions and 12 deletions
--- a/internal/backend/foreground.go
+++ b/internal/backend/foreground.go
@@ -0,0 +1,26 @@
+package backend
+
+import (
+	"os"
+	"os/exec"
+	"strings"
+)
+
+// StartForeground runs cmd in the foreground, by temporarily switching to the
+// new process group created for cmd. The returned function `bg` switches back
+// to the previous process group.
+//
+// The command's environment has all RESTIC_* variables removed.
+func StartForeground(cmd *exec.Cmd) (bg func() error, err error) {
+	env := os.Environ() // Returns a copy that we can modify.
+
+	cmd.Env = env[:0]
+	for _, kv := range env {
+		if strings.HasPrefix(kv, "RESTIC_") {
+			continue
+		}
+		cmd.Env = append(cmd.Env, kv)
+	}
+
+	return startForeground(cmd)
+}