Drop SSH keys from env when running external commands

CHANGELOG.md

@@ -11,6 +11,7 @@
 
   **For upgrading:** The cases where an `@eval` results in a object that is not `nothing` or `::Markdown.MD`, the returned object should be reviewed. In case the resulting object is of some `Markdown` node type (e.g. `Markdown.Paragraph` or `Markdown.Table`), it can simply be wrapped in `Markdown.MD([...])` for block nodes, or `Markdown.MD([Markdown.Paragraph([...])])` for inline nodes. In other cases Documenter was likely not handling the returned object in a correct way, but please open an issue if this change has broken a previously working use case.
 
+* ![Enhancement][badge-enhancement] Documenter is now more careful not to accidentally leak SSH keys (in e.g. error messages) by removing `DOCUMENTER_KEY` from the environment when it is not needed. ([#1958][github-1958], [#1962][github-1962])
 * ![Enhancement][badge-enhancement] Admonitions are now styled with color in the LaTeX output. ([#1931][github-1931], [#1932][github-1932], [#1946][github-1946], [#1955][github-1955])
 * ![Enhancement][badge-enhancement] Improved the styling of code blocks in the LaTeXWriter. ([#1933][github-1933], [#1935][github-1935], [#1936][github-1936], [#1944][github-1944], [#1956][github-1956], [#1957][github-1957])
 * ![Enhancement][badge-enhancement] Automatically resize oversize `tabular` environments from `@example` blocks in LaTeXWriter. ([#1930][github-1930], [#1937][github-1937])
@@ -1162,6 +1163,8 @@
 [github-1955]: https://github.com/JuliaDocs/Documenter.jl/pull/1955
 [github-1956]: https://github.com/JuliaDocs/Documenter.jl/pull/1956
 [github-1957]: https://github.com/JuliaDocs/Documenter.jl/pull/1957
+[github-1958]: https://github.com/JuliaDocs/Documenter.jl/issues/1958
+[github-1962]: https://github.com/JuliaDocs/Documenter.jl/pull/1962
 [github-1969]: https://github.com/JuliaDocs/Documenter.jl/pull/1969
 <!-- end of issue link definitions -->
 

src/Documenter.jl

@@ -25,6 +25,12 @@ const DOCUMENTER_VERSION = let
     VersionNumber(m[1])
 end
 
+# Potentially sensitive variables to be removed from environment when not needed
+const NO_KEY_ENV = Dict(
+    "DOCUMENTER_KEY" => nothing,
+    "DOCUMENTER_KEY_PREVIEWS" => nothing,
+)
+
 # Names of possible internal errors
 const ERROR_NAMES = [:autodocs_block, :cross_references, :docs_block, :doctest,
                      :eval_block, :example_block, :footnote, :linkcheck, :meta_block,
@@ -261,9 +267,9 @@ function makedocs(components...; debug = false, format = HTML(), kwargs...)
     # Selectors.dispatch. This is to make sure that we pick up any new selector stages that
     # may have been added to the selector pipelines between makedocs calls.
     empty!(Selectors.selector_subtypes)
-    cd(document.user.root) do
+    cd(document.user.root) do; withenv(NO_KEY_ENV...) do
         Selectors.dispatch(Builder.DocumentPipeline, document)
-    end
+    end end
     debug ? document : nothing
 end
 
@@ -752,7 +758,7 @@ function git_push(
                 chmod(sshconfig, 0o600)
                 # git config core.sshCommand requires git 2.10.0, but
                 # GIT_SSH_COMMAND works from 2.3.0 so define both.
-                withenv("GIT_SSH_COMMAND" => "ssh -F $(sshconfig)") do
+                withenv("GIT_SSH_COMMAND" => "ssh -F $(sshconfig)", NO_KEY_ENV...) do
                     cd(() -> git_commands(sshconfig), temp)
                 end
             end
@@ -769,7 +775,7 @@ function git_push(
         # The upstream URL to which we push new content authenticated with token
         upstream = authenticated_repo_url(deploy_config)
         try
-            cd(git_commands, temp)
+            cd(() -> withenv(git_commands, NO_KEY_ENV...), temp)
             post_status(deploy_config; repo=repo, type="success", subfolder=subfolder)
         catch e
             @error "Failed to push:" exception=(e, catch_backtrace())

src/Utilities/Utilities.jl

@@ -9,6 +9,7 @@ using DocStringExtensions
 import Markdown, MarkdownAST, LibGit2
 import Base64: stringmime
 import ..ERROR_NAMES
+import ..NO_KEY_ENV
 
 include("Remotes.jl")
 using .Remotes: Remote, repourl, repofile
@@ -836,7 +837,10 @@ function git(; nothrow = false, kwargs...)
     # According to the Git man page, the default GIT_TEMPLATE_DIR is at /usr/share/git-core/templates
     # We need to set this to something so that Git wouldn't pick up the user
     # templates (e.g. from init.templateDir config).
-    return addenv(`$(system_git_path)`, "GIT_TEMPLATE_DIR" => "/usr/share/git-core/templates")
+    cmd = addenv(`$(system_git_path)`, "GIT_TEMPLATE_DIR" => "/usr/share/git-core/templates")
+    # DOCUMENTER_KEY etc are never needed for git operations
+    cmd = addenv(cmd, NO_KEY_ENV)
+    return cmd
 end
 
 include("DOM.jl")