From bb974ab7bb88629640d0a14f36838a632d6d6c98 Mon Sep 17 00:00:00 2001
From: Markus Staab <maggus.staab@googlemail.com>
Date: Sun, 7 Jun 2026 15:27:40 +0200
Subject: [PATCH] Prevent ENV var tokens from beeing leaked by commited DI
 containers

---
 src/Command/CommandHelper.php                |  3 +-
 src/Command/Environment.php                  | 36 ++++++++++++++++++++
 src/Command/FixerApplication.php             |  3 +-
 src/DependencyInjection/Configurator.php     |  4 ---
 src/DependencyInjection/ContainerFactory.php |  6 ++--
 src/DependencyInjection/LoaderFactory.php    |  4 +--
 6 files changed, 43 insertions(+), 13 deletions(-)
 create mode 100644 src/Command/Environment.php

diff --git a/src/Command/CommandHelper.php b/src/Command/CommandHelper.php
index 612d1ed7625..aa8a2a2210c 100644
--- a/src/Command/CommandHelper.php
+++ b/src/Command/CommandHelper.php
@@ -48,7 +48,6 @@
 use function error_get_last;
 use function get_class;
 use function getcwd;
-use function getenv;
 use function gettype;
 use function implode;
 use function ini_get;
@@ -270,7 +269,7 @@ public static function begin(
 			$defaultParameters = [
 				'rootDir' => $containerFactory->getRootDirectory(),
 				'currentWorkingDirectory' => $containerFactory->getCurrentWorkingDirectory(),
-				'env' => getenv(),
+				'env' => Environment::getCleanedArray(),
 			];
 
 			if (isset($projectConfig['parameters']['tmpDir'])) {
diff --git a/src/Command/Environment.php b/src/Command/Environment.php
new file mode 100644
index 00000000000..c7e0b87c2d8
--- /dev/null
+++ b/src/Command/Environment.php
@@ -0,0 +1,36 @@
+<?php declare(strict_types = 1);
+
+namespace PHPStan\Command;
+
+use function getenv;
+use function in_array;
+
+final class Environment
+{
+
+	private const SENSITIVE_ENV_VARIABLES = [
+		'GITHUB_TOKEN',
+		'CI_JOB_TOKEN', // gitlab
+		'PRIVATE-TOKEN', // gitlab
+		'TIDEWAYS_APIKEY',
+	];
+
+	/**
+	 * Prevents known sensitive env vars from being leaked, e.g. when container files committed in repositories
+	 *
+	 * @return array<string, string>
+	 */
+	public static function getCleanedArray(): array
+	{
+		$env = getenv();
+		$cleanedArray = [];
+		foreach ($env as $name => $value) {
+			if (in_array($name, self::SENSITIVE_ENV_VARIABLES, true)) {
+				continue;
+			}
+			$cleanedArray[$name] = $value;
+		}
+		return $cleanedArray;
+	}
+
+}
diff --git a/src/Command/FixerApplication.php b/src/Command/FixerApplication.php
index d0deb1607ac..423d0f01b66 100644
--- a/src/Command/FixerApplication.php
+++ b/src/Command/FixerApplication.php
@@ -48,7 +48,6 @@
 use function defined;
 use function escapeshellarg;
 use function get_class;
-use function getenv;
 use function http_build_query;
 use function ini_get;
 use function is_file;
@@ -269,7 +268,7 @@ private function getFixerProcess(OutputInterface $output, int $serverPort): Proc
 			throw new FixerProcessException();
 		}
 
-		$env = getenv();
+		$env = Environment::getCleanedArray();
 		$env['PHPSTAN_PRO_TMP_DIR'] = $this->proTmpDir;
 		$forcedPort = $_SERVER['PHPSTAN_PRO_WEB_PORT'] ?? null;
 		if ($forcedPort !== null) {
diff --git a/src/DependencyInjection/Configurator.php b/src/DependencyInjection/Configurator.php
index 39cade4fc9e..7865956266b 100644
--- a/src/DependencyInjection/Configurator.php
+++ b/src/DependencyInjection/Configurator.php
@@ -96,10 +96,6 @@ public function loadContainer(): string
 		unset($staticParameters['env']['SHELL_VERBOSITY']);
 		// make sure invocations via blackfire use the same container
 		unset($staticParameters['env']['BLACKFIRE_AGENT_SOCKET']);
-		// prevent known sensitive parameter from being leaked, when container files committed in repositories
-		unset($staticParameters['env']['GITHUB_TOKEN']);
-		unset($staticParameters['env']['CI_JOB_TOKEN']); // gitlab
-		unset($staticParameters['env']['PRIVATE-TOKEN']); // gitlab
 
 		$containerKey = [
 			$staticParameters,
diff --git a/src/DependencyInjection/ContainerFactory.php b/src/DependencyInjection/ContainerFactory.php
index cac88d0e39b..7725ce98bd3 100644
--- a/src/DependencyInjection/ContainerFactory.php
+++ b/src/DependencyInjection/ContainerFactory.php
@@ -23,6 +23,7 @@
 use PHPStan\BetterReflection\SourceLocator\SourceStubber\PhpStormStubsSourceStubber;
 use PHPStan\BetterReflection\SourceLocator\Type\SourceLocator;
 use PHPStan\Command\CommandHelper;
+use PHPStan\Command\Environment;
 use PHPStan\File\FileHelper;
 use PHPStan\Node\Printer\Printer;
 use PHPStan\Php\PhpVersion;
@@ -42,7 +43,6 @@
 use function count;
 use function dirname;
 use function extension_loaded;
-use function getenv;
 use function implode;
 use function ini_get;
 use function is_array;
@@ -118,7 +118,7 @@ public function create(
 			[
 				'rootDir' => $this->rootDirectory,
 				'currentWorkingDirectory' => $this->currentWorkingDirectory,
-				'env' => getenv(),
+				'env' => Environment::getCleanedArray(),
 			],
 		);
 
@@ -146,7 +146,7 @@ public function create(
 			'generateBaselineFile' => $generateBaselineFile,
 			'usedLevel' => $usedLevel,
 			'cliAutoloadFile' => $cliAutoloadFile,
-			'env' => getenv(),
+			'env' => Environment::getCleanedArray(),
 		], $additionalParameters));
 		$configurator->addDynamicParameters([
 			'singleReflectionFile' => $singleReflectionFile,
diff --git a/src/DependencyInjection/LoaderFactory.php b/src/DependencyInjection/LoaderFactory.php
index de6ac821e2c..c25a5be8bd7 100644
--- a/src/DependencyInjection/LoaderFactory.php
+++ b/src/DependencyInjection/LoaderFactory.php
@@ -3,8 +3,8 @@
 namespace PHPStan\DependencyInjection;
 
 use Nette\DI\Config\Loader;
+use PHPStan\Command\Environment;
 use PHPStan\File\FileHelper;
-use function getenv;
 
 final class LoaderFactory
 {
@@ -32,7 +32,7 @@ public function createLoader(): Loader
 		$loader->setParameters([
 			'rootDir' => $this->rootDir,
 			'currentWorkingDirectory' => $this->currentWorkingDirectory,
-			'env' => getenv(),
+			'env' => Environment::getCleanedArray(),
 		]);
 
 		return $loader;