From a5e9b4d12626b153e227303b35b07c6f87ff1c5f Mon Sep 17 00:00:00 2001
From: Rafael Passos <rafael@rcpassos.me>
Date: Tue, 17 Sep 2024 09:12:39 -0300
Subject: [PATCH] libpod: hides env secrets from container inspect

Replaces env values supplied from podman secrets,
returns ******* instead

Fixes: #23788

Signed-off-by: Rafael Passos <rafael@rcpassos.me>
---
 libpod/container_inspect.go        | 14 ++++++++++++++
 test/e2e/container_inspect_test.go | 22 ++++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index aa561a5cdc..33bd465da0 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -372,6 +372,20 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp
 	if spec.Process != nil {
 		ctrConfig.Tty = spec.Process.Terminal
 		ctrConfig.Env = append([]string{}, spec.Process.Env...)
+
+		// finds all secrets mounted as env variables and hides the value
+		// the inspect command should not display it
+		envSecrets := c.config.EnvSecrets
+		for envIndex, envValue := range ctrConfig.Env {
+			// env variables come in the style `name=value`
+			envName := strings.Split(envValue, "=")[0]
+
+			envSecret, ok := envSecrets[envName]
+			if ok {
+				ctrConfig.Env[envIndex] = envSecret.Name + "=*******"
+			}
+		}
+
 		ctrConfig.WorkingDir = spec.Process.Cwd
 	}
 
diff --git a/test/e2e/container_inspect_test.go b/test/e2e/container_inspect_test.go
index 8e26eb0f25..120f8ae4a5 100644
--- a/test/e2e/container_inspect_test.go
+++ b/test/e2e/container_inspect_test.go
@@ -3,6 +3,7 @@
 package integration
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 
@@ -82,4 +83,25 @@ var _ = Describe("Podman container inspect", func() {
 		Expect(data[0].HostConfig.VolumesFrom).To(Equal([]string{volsctr}))
 		Expect(data[0].Config.Annotations[define.VolumesFromAnnotation]).To(Equal(volsctr))
 	})
+
+	It("podman inspect hides secrets mounted to env", func() {
+		secretName := "mysecret"
+
+		secretFilePath := filepath.Join(podmanTest.TempDir, "secret")
+		err := os.WriteFile(secretFilePath, []byte("mySecretValue"), 0755)
+		Expect(err).ToNot(HaveOccurred())
+
+		session := podmanTest.Podman([]string{"secret", "create", secretName, secretFilePath})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+
+		name := "testcon"
+		session = podmanTest.Podman([]string{"run", "--secret", fmt.Sprintf("%s,type=env", secretName), "--name", name, CITEST_IMAGE})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+
+		data := podmanTest.InspectContainer(name)
+		Expect(data).To(HaveLen(1))
+		Expect(data[0].Config.Env).To(ContainElement(Equal(secretName + "=*******")))
+	})
 })