app/seal: check for '=' in envv

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-27 18:25:23 +09:00 · 2025-03-27 18:25:23 +09:00 · 605d018be2
commit 605d018be2
parent 78aaae7ee0
1 changed files with 7 additions and 2 deletions
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@ -8,7 +8,6 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"maps"
 	"os"
 	"path"
 	"regexp"
@ -505,7 +504,13 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co

 	// flatten and sort env for deterministic behaviour
 	seal.container.Env = make([]string, 0, len(seal.env))
-	maps.All(seal.env)(func(k string, v string) bool { seal.container.Env = append(seal.container.Env, k+"="+v); return true })
+	for k, v := range seal.env {
+		if strings.IndexByte(k, '=') != -1 {
+			return fmsg.WrapError(syscall.EINVAL,
+				fmt.Sprintf("invalid environment variable %s", k))
+		}
+		seal.container.Env = append(seal.container.Env, k+"="+v)
+	}
 	slices.Sort(seal.container.Env)

 	fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, argv: %s",