CVE-2024-8986

@@ -12,6 +12,7 @@ import (
 	"sort"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/magefile/mage/mg"
 	"github.com/magefile/mage/sh"
@@ -152,7 +153,9 @@ func getBuildBackendCmdInfo(cfg Config) (Config, []string, error) {
 		"build", "-o", filepath.Join(outputPath, exePath),
 	}
 
-	info := getBuildInfoFromEnvironment()
+	info := Info{
+		Time: now().UnixNano() / int64(time.Millisecond),
+	}
 	pluginID, err := internal.GetStringValueFromJSON(filepath.Join(pluginJSONPath, "plugin.json"), "id")
 	if err == nil && len(pluginID) > 0 {
 		info.PluginID = pluginID

@@ -153,7 +153,7 @@ func Test_getBuildBackendCmdInfo(t *testing.T) {
 				Env:            map[string]string{"CGO_ENABLED": "0", "GOARCH": "arm64", "GOOS": "darwin"},
 				PluginJSONPath: filepath.Join(tmpDir, "foobar-datasource"),
 			},
-			expectedArgs: []string{"build", "-o", filepath.Join(defaultOutputBinaryPath, "gpx_foo_darwin_arm64"), "-ldflags", "-w -s -extldflags \"-static\" -X 'github.com/grafana/grafana-plugin-sdk-go/build.buildInfoJSON={.*}' -X 'main.branch=.+' -X 'main.commit=[a-z0-9\\d]{40}'", "./pkg"},
+			expectedArgs: []string{"build", "-o", filepath.Join(defaultOutputBinaryPath, "gpx_foo_darwin_arm64"), "-ldflags", "-w -s -extldflags \"-static\" -X 'github.com/grafana/grafana-plugin-sdk-go/build.buildInfoJSON={.*}'", "./pkg"},
 			wantErr:      assert.NoError,
 		},
 		{
@@ -174,7 +174,7 @@ func Test_getBuildBackendCmdInfo(t *testing.T) {
 				Env:            map[string]string{"CGO_ENABLED": "0", "GOARCH": "arm64", "GOOS": "darwin"},
 				PluginJSONPath: filepath.Join(tmpDir, "foobar-app"),
 			},
-			expectedArgs: []string{"build", "-o", filepath.Join(defaultOutputBinaryPath, defaultNestedDataSourcePath, "gpx_foo_darwin_arm64"), "-ldflags", "-w -s -extldflags \"-static\" -X 'github.com/grafana/grafana-plugin-sdk-go/build.buildInfoJSON={.*}' -X 'main.branch=.+' -X 'main.commit=[a-z0-9\\d]{40}'", "./pkg"},
+			expectedArgs: []string{"build", "-o", filepath.Join(defaultOutputBinaryPath, defaultNestedDataSourcePath, "gpx_foo_darwin_arm64"), "-ldflags", "-w -s -extldflags \"-static\" -X 'github.com/grafana/grafana-plugin-sdk-go/build.buildInfoJSON={.*}'", "./pkg"},
 			wantErr:      assert.NoError,
 		},
 		{
@@ -195,7 +195,7 @@ func Test_getBuildBackendCmdInfo(t *testing.T) {
 				Env:            map[string]string{"CGO_ENABLED": "0", "GOARCH": "amd64", "GOOS": "windows"},
 				PluginJSONPath: filepath.Join(tmpDir, "foobarbaz-app"),
 			},
-			expectedArgs: []string{"build", "-o", filepath.Join(defaultOutputBinaryPath, "gpx_foobarbaz_windows_amd64.exe"), "-ldflags", "-w -s -extldflags \"-static\" -X 'github.com/grafana/grafana-plugin-sdk-go/build.buildInfoJSON={.*}' -X 'main.branch=.+' -X 'main.commit=[a-z0-9\\d]{40}'", "./pkg"},
+			expectedArgs: []string{"build", "-o", filepath.Join(defaultOutputBinaryPath, "gpx_foobarbaz_windows_amd64.exe"), "-ldflags", "-w -s -extldflags \"-static\" -X 'github.com/grafana/grafana-plugin-sdk-go/build.buildInfoJSON={.*}'", "./pkg"},
 			wantErr:      assert.NoError,
 		},
 	}

@@ -3,10 +3,6 @@ package build
 import (
 	"encoding/json"
 	"fmt"
-	"os"
-	"os/exec"
-	"strconv"
-	"strings"
 	"time"
 )
 
@@ -21,11 +17,6 @@ type Info struct {
 	Time     int64  `json:"time,omitempty"`
 	PluginID string `json:"pluginID,omitempty"`
 	Version  string `json:"version,omitempty"`
-	Repo     string `json:"repo,omitempty"`
-	Branch   string `json:"branch,omitempty"`
-	Hash     string `json:"hash,omitempty"`
-	Build    int64  `json:"build,omitempty"`
-	PR       int64  `json:"pr,omitempty"`
 }
 
 // this will append build flags -- the keys are picked to match existing
@@ -37,80 +28,13 @@ func (v Info) appendFlags(flags map[string]string) {
 	if v.Version != "" {
 		flags["main.version"] = v.Version
 	}
-	if v.Branch != "" {
-		flags["main.branch"] = v.Branch
-	}
-	if v.Hash != "" {
-		flags["main.commit"] = v.Hash
-	}
 
 	out, err := json.Marshal(v)
 	if err == nil {
 		flags["github.com/grafana/grafana-plugin-sdk-go/build.buildInfoJSON"] = string(out)
 	}
 }
 
-func getEnvironment(check ...string) string {
-	for _, key := range check {
-		if strings.HasPrefix(key, "> ") {
-			parts := strings.Split(key, " ")
-			cmd := exec.Command(parts[1], parts[2:]...) // #nosec G204
-			out, err := cmd.CombinedOutput()
-			if err == nil && len(out) > 0 {
-				str := strings.TrimSpace(string(out))
-				if strings.Index(str, " ") > 0 {
-					continue // skip any output that has spaces
-				}
-				return str
-			}
-			continue
-		}
-
-		val := os.Getenv(key)
-		if val != "" {
-			return strings.TrimSpace(val)
-		}
-	}
-	return ""
-}
-
-// getBuildInfoFromEnvironment reads the
-func getBuildInfoFromEnvironment() Info {
-	v := Info{
-		Time: now().UnixNano() / int64(time.Millisecond),
-	}
-
-	v.Repo = getEnvironment(
-		"DRONE_REPO_LINK",
-		"CIRCLE_PROJECT_REPONAME",
-		"CI_REPONAME",
-		"> git remote get-url origin")
-	v.Branch = getEnvironment(
-		"DRONE_BRANCH",
-		"CIRCLE_BRANCH",
-		"CI_BRANCH",
-		"> git branch --show-current")
-	v.Hash = getEnvironment(
-		"DRONE_COMMIT_SHA",
-		"CIRCLE_SHA1",
-		"CI_COMMIT_SHA",
-		"> git rev-parse HEAD")
-	val, err := strconv.ParseInt(getEnvironment(
-		"DRONE_BUILD_NUMBER",
-		"CIRCLE_BUILD_NUM",
-		"CI_BUILD_NUM"), 10, 64)
-	if err == nil {
-		v.Build = val
-	}
-	val, err = strconv.ParseInt(getEnvironment(
-		"DRONE_PULL_REQUEST",
-		"CI_PULL_REQUEST"), 10, 64)
-	if err == nil {
-		v.PR = val
-	}
-	return v
-}
-
 // InfoGetter is an interface with a method for returning the build info.
 type InfoGetter interface {
 	// GetInfo returns the build info.

@@ -1,57 +0,0 @@
-package build
-
-import (
-	"fmt"
-	"os"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestFillBuildInfo(t *testing.T) {
-	// Set this as a constant for testing
-	now = func() time.Time { return time.Unix(1515151515, 0) }
-	t.Cleanup(func() {
-		now = time.Now
-	})
-
-	t.Run("drone", func(t *testing.T) {
-		t.Setenv("DRONE_REPO_LINK", "https://github.com/octocat/hello-world")
-		t.Setenv("DRONE_BRANCH", "main")
-		t.Setenv("DRONE_COMMIT_SHA", "bcdd4bf0245c82c060407b3b24b9b87301d15ac1")
-		t.Setenv("DRONE_BUILD_NUMBER", "22")
-		t.Setenv("DRONE_PULL_REQUEST", "33")
-
-		info := getBuildInfoFromEnvironment()
-		require.NotNil(t, info)
-		assert.Equal(t, "main", info.Branch)
-		assert.Equal(t, "bcdd4bf0245c82c060407b3b24b9b87301d15ac1", info.Hash)
-		assert.Equal(t, int64(22), info.Build)
-		assert.Equal(t, int64(33), info.PR)
-	})
-
-	t.Run("circle", func(t *testing.T) {
-		os.Clearenv() // Clear DRONE env vars in CI environment
-		t.Setenv("CIRCLE_PROJECT_REPONAME", "https://github.com/octocat/hello-world")
-		t.Setenv("CIRCLE_BRANCH", "main")
-		t.Setenv("CIRCLE_SHA1", "bcdd4bf0245c82c060407b3b24b9b87301d15ac1")
-		t.Setenv("CIRCLE_BUILD_NUM", "22")
-		t.Setenv("CI_PULL_REQUEST", "33")
-
-		info := getBuildInfoFromEnvironment()
-		require.NotNil(t, info)
-		assert.Equal(t, "main", info.Branch)
-		assert.Equal(t, "bcdd4bf0245c82c060407b3b24b9b87301d15ac1", info.Hash)
-		assert.Equal(t, int64(22), info.Build)
-		assert.Equal(t, int64(33), info.PR)
-	})
-
-	// really testable since it delegates to functions, but helful in local dev
-	t.Run("git commands", func(t *testing.T) {
-		info := getBuildInfoFromEnvironment()
-		fmt.Printf("BUILD: %#v\n", info)
-		require.NotNil(t, info)
-	})
-}