BUG Replace phpdotenv with thread-safe replacement

[tractorcow]

Fixes #7478

Not strictly breaking, but any code which uses getenv php method will remain vulnerable until upgrading to the new Environment::getenv method.

In order to be as unobtrusive as possible the getenv and putenv methods on Environment class are designed as drop-in replacements for the global php methods.

Thanks to @NightJar for beginning this solution (see NightJar@e614ede).

Other PRs for various modules incoming to replace getenv usages.

Other prs to merge after this:

• Update to use new Environment::getenv() silverstripe-assets#87
• Update to use new Environment::getenv() silverstripe-behat-extension#170
• Update to use new Environment::getenv() API silverstripe-serve#19

References to this issue (notably laravel based)

• Allow read-only mode vlucas/phpdotenv#163
• Changing process environment unsafe on multithreaded servers vlucas/phpdotenv#76
• replacing getenv($key) with array_get($_ENV, $key) laravel/framework#8187
• https://gist.github.com/progmars/1e545d96dd48676a2aa7

[zanderwar]

👍

[dhensby]

I'm not really behind this fix as the whole point in using an external library is so that we aren't maintaining this kind of code ourselves.

from my understanding putenv and getenv are not threadsafe methods and so this error is only happens on multi-threaded environments (IIS, HHVM and multithreaded apache on windows).

Have we investigated using Dotenv\Loader::setEnvironmentVariable and Dotenv\Loader::getEnvironmentVariable instead as they rely on the super globals first...

[zanderwar]

The external library is not intended for production, so using it in the first place only satisfies the environment when in development albeit is not in require-dev and as such is adding unnecessary bloat to production.

IMHO the dotenv dependency should be dropped entirely for methodology like this. Even if I am being biased here because this resolves my issue of wanting to use the .env file like laravel/symfony allow flawlessly

[tractorcow]

Our external library is parse_ini_string :)

[flamerohr]

A minor request, it's not blocking for this to be merged

[flamerohr]

could we have overloading vars as a second param for this method?

[tractorcow]

Yes that's a good idea thank you. :)

[sminnee]

Reviewed, few stylistic comments. Hand-rolling our own dotenv implementation surprised me a bit – we're trying to reduce wheel reinvention. Sure it's not lengthy code, but it's the kind of regex soup that can end up having bugs.

[sminnee]

Do we need this to be our API rather than setEnv($k, $v)? Who would you recommend calls putenv?

[sminnee]

Having looked at the other code that calls it, it seems making the setEnv API public and removing putenv would be more appropriate to developers.

[tractorcow]

I've ensure that putenv() promises to be a drop-in replacement for the core putenv. Mirroring the API means that users don't have to do any string-manipulation in their usercode. As a developer I love the peace of mind of an api promising to work the same way; Less for me to think about and re-test. :)

[sminnee]

I don't see much value in that. People will still have to change their code, and if they're going to change their code we may as well give them the API they're more likely to want, which is setEnv.

[sminnee]

If you look at all our putenv calls we're doing string concatenation in them now, so providing setEnv() isn't going to force people to do string manipulation.

If we had 5 years of code built around putenv there might be a stronger argument for it, but we don't.

[tractorcow]

ok, fair enough.

Shall I make putEnv and setEnv both public?

[sminnee]

Seems like a reasonable compromise.

[sminnee]

Can we make this camel case, so getEnv()?

[tractorcow]

This api mirrors the old global getenv, so I've opted to maintain the semantics as close as possible, including case name.

[tractorcow]

We can make it getEnv

[sminnee]

Why have we reimplemented dotenv?

[tractorcow]

Pretty much!

[sminnee]

Wouldn't it be better to retain a dotenv dependency (either vlucas or symfony) and make reference to its loader within Environment?

[tractorcow]

I'll have a look into symfony.

[tractorcow]

Symfony seems to do exactly the same thing; symfony dotenv simply uses core-php getenv. Given our implementation is small and works for us, I suggest to leave it as is.

[sminnee]

ok

[sminnee]

This should probably still be getenv, otherwise it's a bit of a circular dependency, and this var can't be set by .env

[tractorcow]

This behaviour is required in case user-specific bootstrap files set environment vars.

Note that Environment::getenv doesn't actually require .env files to be loaded; It also acts as an accessor to the underlying system environment. This just maintains consistency between all getenv accessors.

The risk of using old getenv is that if a user does custom loading of env vars in user-code or custom index.php, then that call is going to be vulnerable to the same race condition we are trying to address.

[sminnee]

Fair enough

[tractorcow]

Ok, all feedback has been implemented and also on all other repos.

[flamerohr]

referencing old API, maybe double check all docs :)

[flamerohr]

same in changelogs

[dhensby]

Just revisiting what @sminnee said - this should only ever be set by a global bonefido environment variable that won't change from execution to execution. As the comment says "Allow a first class env var to be set that disables .env file loading" but this allows second-class / psuedo environment variables to manipulate/unset this value which is the opposite of what's intended here.

[tractorcow]

but this allows second-class / psuedo environment variables to manipulate/unset this value which is the opposite of what's intended here.

getenv allows exactly the same if you use putenv, so what's the introduced risk that didn't exist before?

[dhensby]

I don't understand the preference for handrolling our own dotenv work when this is practically identical to using Dotenv\Loader::setEnvironmentVariable and Dotenv\Loader::getEnvironmentVariable and means we don't have to maintain this code :/

[dhensby]

This is what the setEnvironmentVariable is in the library: https://github.com/vlucas/phpdotenv/blob/828d19e597052ddeee65890bb2b1a0912d79fea8/src/Loader.php#L353-L375

It's super close to what we have just we also have an extra layer of the local static $env too.

[tractorcow]

just we also have an extra layer of the local static $env too.

That is the critical point of this PR. That's not simply a cache, that's the key feature that solves the process isolation issue.

[dhensby]

There are no tests for nested variables, eg:

TEST="value"
TEST_AGAIN="$TEST"

[tractorcow]

I didn't write any code to support it either.

[NightJar]

Are nested variables a thing? :o

[flamerohr]

please don't let this be a thing... at least not here :P

[NightJar]

My thoughts exactly. We're not implementing a POSIX shell.

[dhensby]

This is a feature of the dotenv lib so if we're replacing it like-for-like it needs to be here.

[tractorcow]

I've restored this. ;)

[dhensby]

@zanderwar

The external library is not intended for production, so using it in the first place only satisfies the environment when in development albeit is not in require-dev and as such is adding unnecessary bloat to production.

I don't see how lifting the code from the library and putting it in our codebase makes this any more suitable for production. If we feel that this PR solves the problem, then using the built in methods (instead of php's getenv and putenv) will solve the problem too.

IMHO the dotenv dependency should be dropped entirely for methodology like this. Even if I am being biased here because this resolves my issue of wanting to use the .env file like laravel/symfony allow flawlessly

Laravel uses the same library for their .env so if you're happy with how laravel works then there should be no complaints. We could move to symfony's if it's more robust/resilient.

[tractorcow]

I don't see how lifting the code from the library and putting it in our codebase makes this any more suitable for production.

We aren't lifting it, we have made a completely unique implementation. We store the vars in a static $env to protected it from cross-process pollution (which apparently $_ENV and both $_SERVER were subject to in testing).

so if you're happy with how laravel works

I'm not happy, as even laravel / symfony suffer from the risks documented at https://gist.github.com/progmars/1e545d96dd48676a2aa7

[tractorcow]

Maybe someone who has an environment which can reproduce this issue (e.g. @zanderwar ) could take over development of this fix and see if they can minimise the fix to one that still solves the issue, but maybe without removal of the existing backend dotenv library?

[tractorcow]

Maybe we should request feedback from one of the laravel devs; Maybe they can provide some insight that I haven't seen.

[tractorcow]

Well, I've tracked down the appropriate laravel discussion.

laravel/framework#8191 (comment)

You should avoid calling env()in your application.

The way this is addressed in laravel is that the result of the combined config is cached, and thus there is no race condition when setting / loading env() vars, because getenv() is rarely called, and loading .env files is only done to populate this cache.

In the case of SilverStripe, what we could do is use .env to populate (and cache) config, and we use the config API.

We already use the back-tick operator to interpolate env / constants into config. What we could do is actually cache these within the config manifest (rather than lazy-evaluating on each request).

For example, this is how the default cache factory sets the temp path (cache.yml)

---
Name: corecache
---
SilverStripe\Core\Injector\Injector:
  SilverStripe\Core\Cache\CacheFactory:
    class: 'SilverStripe\Core\Cache\DefaultCacheFactory'
    constructor:
      args:
        directory: '`TEMP_PATH`'

This could be solved in a number of ways:

Option 1

• Move all used env vars to a config var on some relevant class
• Update config module to interpolate these values during flush / cache generation
• Replace all getenv() calls to the appropriate config calls

Option 2

Alternatively, we could not interpolate these variables, but instead create a separate config transformer which populates config directly from the environment into a holder class (e.g. SilverStripe\Core\Environment). Thus getenv('SS_DATABASE_CLASS') becomes Environment::config()->get('SS_DATABASE_CLASS').

[tractorcow]

@dhensby what do you think about these other options?

[sminnee]

We're close to an RC1 now is not the time to be radically re-thinking APIs.

Are we all 👍 on Environment::setEnv($key, $value) and Environment::getEnv($key) as the public API for this?

I love the idea of relying on the config's backtick system as much as possible, but that's a styleguide question, we'd still need the public API. I think that making more use of the backtick system is something that we can look at incrementing towards in 4.x.

I, like Dan, questioned why we rewrote the dotenv package instead of just including it as a dependency, but I don't think that an argument over that should have anything to do with the public API we expose. And, because of that, we could change this in 4.1 if we want.

I don't think that we should expose Dotenv\Loader::setEnvironmentVariable and Dotenv\Loader::getEnvironmentVariable as our public API as it ties us to that specific implementation, and if we realise (like we did a few days ago) that we have a problem with their API then we're stuffed until SS5. However, I think that Environment::setEnv() calling these methods behind the scenes would make a lot of sense.

Re-reading, I can see that Damian has found specific issues with the 3rd party implementations. I would say that we bless our current public API, go with Damian's implementation for now, and if we want, we can look at:

• an upstream PR to one of the dotenv implementations that improves it in the way that Damian has done here
• a 4.x change to SilverStripe to remove our internal implementation and switch back to a 3rd party dependency.

[tractorcow]

@sminnee pro-tip; If we switch to Environment::getEnv() now, we can still switch the back-end cache at some later point (e.g. 4.1).

[sminnee]

getEnv

[sminnee]

setEnv('API_KEY', 'AABBCCDDEEFF012345')

[sminnee]

putEnvFromFile

[tractorcow]

I'll fix up the docs now. :)

[sminnee]

setEnv('ENVVARSET_FOO', 1)

[tractorcow]

I'll defer to your better experience in this case. :)

[sminnee]

So in summary:

• Environment::getEnv() uses getenv() as its starting point
• .env files are loaded into static properties, and don't rely on putenv()
• We recommend system-defined environment variables and not .env in prod environments

Right?

Perhaps we ditch the putenv() call to make it obvious that you should use Environment::getEnv() in your application code and not getenv(). In particular, if you're running with a .env file that means it will fail consistently, instead of only failing in a race condition, which seems like better developer experience.

[dhensby]

I don't think that we should expose Dotenv\Loader::setEnvironmentVariable and Dotenv\Loader::getEnvironmentVariable as our public API as it ties us to that specific implementation, and if we realise (like we did a few days ago) that we have a problem with their API then we're stuffed until SS5. However, I think that Environment::setEnv() calling these methods behind the scenes would make a lot of sense.

This is my view. We can use our own API which wraps the DotEnv library and even adds the local caching layer, but we shouldn't be removing it as a dependency at this time.

It also seems that this fix doesn't actually solve the problem anyway as we still rely on putenv (and getenv to an extent) which aren't thread-safe...

[tractorcow]

I may update so that Environment::setEnv() simply sets the $env static, and we don't modify the environment at all.

[tractorcow]

One more iteration, with these changes:

• Move env file loading into EnvironmentLoader. It's <120 lines so I don't feel too bad about replicating dotenv library logic.
• Implement variable interpolation at @dhensby's request.
• No longer uses putenv(). Environment::setEnv() now exclusively sets a protected static var, which is used as the authoritative source for vars loaded from .env.
• getenv() no longer loads variables loaded in this request; Environment::getEnv() must be used by ss applications.

[sminnee]

Final version looks good to me; let's merge this, assuming that it works for @zanderwar and @NightJar

[NightJar]

MY_SECRET="has a \" in it; because #edge-cases dominate my life."
This solution is well good enough for now, but I think we've lost sight of the goal a fair bit.
The goal of a .env file is to shift named strings into memory. No more no less. The same as getenv() would do. Is there any particular reason we need type checking & parsing, nested variables or any of the other features an external library such as dotenv provides us, and we've gone for feature parity with?

[sminnee]

@NightJar does the current solution fix the bugs that you experienced?

Also: in your comment above you didn't say whether or not that edge-case worked.

[tractorcow]

I think supporting escaped quotes can be a later release fix, if necessary.

[tractorcow]

Shall we escew dotenv / parse_ini_string() for say, one of the below:

• https://github.com/josegonzalez/php-dotenv
• https://github.com/m1/Env

Unlike the prior library, these support the ability for us to parse and extract, but not populate putenv.

@dhensby @sminnee opinions?

I'm not really interested in complicating my regexp any more.

[tractorcow]

Switched out env parser for m1/env. @dhensby see, no internal-env-parser implementation anymore. :) And feature parity.

[NightJar]

Attempting to test.

[NightJar]

This patch; good news.
Can replicate without.
Cannot replicate with.

[zanderwar]

Working for me 100%

[sminnee]

Merged, and merged 4.0 -> 4 as well on cms and framework

[tractorcow]

Yay thank you. :)

[dhensby]

Yay

[GrahamCampbell]

The current version of phpdotenv is robust and thread-safe. The following example will work in a multithreaded environment. This avoids using the adapter that would have called putenv and getenv, which are not threadsafe.

<?php

use Dotenv\Environment\Adapter\EnvConstAdapter;
use Dotenv\Environment\Adapter\ServerConstAdapter;
use Dotenv\Environment\DotenvFactory;
use Dotenv\Dotenv;

$factory = new DotenvFactory([new EnvConstAdapter(), new ServerConstAdapter()]);

Dotenv::create($path, null, $factory)->load();

[tractorcow]

That's excellent, thank you @GrahamCampbell. I think the approach we've gone with is the best for us, however, but we appreciate your getting back to us.