VYPR
← All advisories
High severityNVD Advisory· Published Jan 4, 2021· Updated Aug 4, 2024

Exposure of server configuration

CVE-2020-26294

Description

Vela compiler before 0.6.1 exposes server configuration via Sprig's env template function, allowing information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vela compiler before 0.6.1 exposes server configuration via Sprig's `env` template function, allowing information disclosure.

Vulnerability

Overview In Vela compiler versions prior to 0.6.1, template rendering makes use of Sprig's TxtFuncMap(), which includes OS-related functions such as env and expandenv. This allows attackers to read environment variables from the server, leading to exposure of server configuration [1].

Exploitation

An attacker can exploit this by crafting a pipeline configuration that utilizes the env function in template steps. When the pipeline is compiled, the function executes and returns the value of the specified environment variable, potentially revealing sensitive configuration data [1].

Impact

Successful exploitation results in disclosure of server environment variables, which may contain secrets like API keys, database credentials, or other configuration details. This could enable further attacks against the Vela instance and its infrastructure [1].

Mitigation

The vulnerability is fixed in Vela compiler version 0.6.1. The fix removes the env and expandenv functions from the Sprig function map, preventing their use in templates [3]. Users should upgrade to 0.6.1 or later and rotate all secrets as a precaution [1].

References
  1. NVD - CVE-2020-26294
  2. fix: disallow functions (#93) · go-vela/compiler@f1ace5f

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/go-vela/compilerGo
< 0.6.10.6.1

Affected products

2

Patches

1
f1ace5f8a05c

fix: disallow functions (#93)

https://github.com/go-vela/compilerDavid MayDec 29, 2020via ghsa
commit
4 files changed · +65 1
  • template/native/render.go+8 1 modified
    @@ -21,11 +21,18 @@ func Render(tmpl string, s *types.Step) (types.StepSlice, error) {
 	templateFuncMap := map[string]interface{}{
 		"vela": velaFuncs.returnPlatformVar,
 	}
+	// modify Masterminds/sprig functions
+	// to remove OS functions
+	//
+	// https://masterminds.github.io/sprig/os.html
+	sf := sprig.TxtFuncMap()
+	delete(sf, "env")
+	delete(sf, "expandenv")
 
 	// parse the template with Masterminds/sprig functions
 	//
 	// https://pkg.go.dev/github.com/Masterminds/sprig?tab=doc#TxtFuncMap
-	t, err := template.New(s.Name).Funcs(sprig.TxtFuncMap()).Funcs(templateFuncMap).Parse(tmpl)
+	t, err := template.New(s.Name).Funcs(sf).Funcs(templateFuncMap).Parse(tmpl)
 	if err != nil {
 		return types.StepSlice{}, fmt.Errorf("unable to parse template %s: %v", s.Template.Name, err)
 	}
  • template/native/render_test.go+41 0 modified
    @@ -6,6 +6,7 @@ package native
 
 import (
 	"io/ioutil"
+	"reflect"
 	"testing"
 
 	"github.com/go-vela/types/raw"
@@ -82,3 +83,43 @@ func TestNative_Render(t *testing.T) {
 		})
 	}
 }
+
+func TestNative_Render_DisallowedFunc_Env(t *testing.T) {
+	// setup types
+	want := yaml.StepSlice{}
+
+	// run test
+	tmpl, err := ioutil.ReadFile("testdata/disallowed/tmpl_env.yml")
+	if err != nil {
+		t.Errorf("Reading file returned err: %v", err)
+	}
+
+	got, err := Render(string(tmpl), &yaml.Step{})
+	if err == nil {
+		t.Errorf("Render should have returned err")
+	}
+
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("Render is %v, want %v", got, want)
+	}
+}
+
+func TestNative_Render_DisallowedFunc_ExpandEnv(t *testing.T) {
+	// setup types
+	want := yaml.StepSlice{}
+
+	// run test
+	tmpl, err := ioutil.ReadFile("testdata/disallowed/tmpl_expandenv.yml")
+	if err != nil {
+		t.Errorf("Reading file returned err: %v", err)
+	}
+
+	got, err := Render(string(tmpl), &yaml.Step{})
+	if err == nil {
+		t.Errorf("Render should have returned err")
+	}
+
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("Render is %v, want %v", got, want)
+	}
+}
  • template/native/testdata/disallowed/tmpl_env.yml+8 0 added
    @@ -0,0 +1,8 @@
+metadata:
+  template: true
+
+steps:
+  - name: echo
+    commands:
+      - echo {{ env "VELA_SOURCE_CLIENT" }}
+    image: alpine:latest
\ No newline at end of file
  • template/native/testdata/disallowed/tmpl_expandenv.yml+8 0 added
    @@ -0,0 +1,8 @@
+metadata:
+  template: true
+
+steps:
+  - name: echo
+    commands:
+      - echo {{ expandenv "Your client id is set to $VELA_SOURCE_CLIENT" }}
+    image: alpine:latest
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.