Deduplicate and blacklist some env vars

matt-aitken · matt-aitken · commit e39eeeb53c89 · 2025-05-21T13:21:07.000+01:00
diff --git a/apps/webapp/app/v3/environmentVariables/environmentVariablesRepository.server.ts b/apps/webapp/app/v3/environmentVariables/environmentVariablesRepository.server.ts
@@ -1,24 +1,19 @@
-import {
-  Prisma,
-  PrismaClient,
-  RuntimeEnvironment,
-  RuntimeEnvironmentType,
-} from "@trigger.dev/database";
+import { Prisma, type PrismaClient, type RuntimeEnvironmentType } from "@trigger.dev/database";
 import { z } from "zod";
-import { environmentFullTitle, environmentTitle } from "~/components/environments/EnvironmentLabel";
+import { environmentFullTitle } from "~/components/environments/EnvironmentLabel";
 import { $transaction, prisma } from "~/db.server";
 import { env } from "~/env.server";
 import { getSecretStore } from "~/services/secrets/secretStore.server";
 import { generateFriendlyId } from "../friendlyIdentifiers";
 import {
-  CreateResult,
-  DeleteEnvironmentVariable,
-  DeleteEnvironmentVariableValue,
-  EnvironmentVariable,
-  EnvironmentVariableWithSecret,
-  ProjectEnvironmentVariable,
-  Repository,
-  Result,
+  type CreateResult,
+  type DeleteEnvironmentVariable,
+  type DeleteEnvironmentVariableValue,
+  type EnvironmentVariable,
+  type EnvironmentVariableWithSecret,
+  type ProjectEnvironmentVariable,
+  type Repository,
+  type Result,
 } from "./repository";
 
 function secretKeyProjectPrefix(projectId: string) {
@@ -94,9 +89,7 @@ export class EnvironmentVariablesRepository implements Repository {
     }
 
     // Remove `TRIGGER_SECRET_KEY` or `TRIGGER_API_URL`
-    let values = options.variables.filter(
-      (v) => v.key !== "TRIGGER_SECRET_KEY" && v.key !== "TRIGGER_API_URL"
-    );
+    let values = removeBlacklistedVariables(options.variables);
 
     //get rid of empty variables
     values = values.filter((v) => v.key.trim() !== "" && v.value.trim() !== "");
@@ -610,12 +603,14 @@ export class EnvironmentVariablesRepository implements Repository {
       mergedSecrets.set(parsedKey, secret.value.secret);
     }
 
-    return Array.from(mergedSecrets.entries()).map(([key, value]) => {
+    const merged = Array.from(mergedSecrets.entries()).map(([key, value]) => {
       return {
         key,
         value,
       };
     });
+
+    return removeBlacklistedVariables(merged);
   }
 
   async getEnvironmentVariables(
@@ -833,7 +828,24 @@ export async function resolveVariablesForEnvironment(
       ? await resolveBuiltInDevVariables(runtimeEnvironment)
       : await resolveBuiltInProdVariables(runtimeEnvironment, parentEnvironment);
 
-  return [...overridableTriggerVariables, ...projectSecrets, ...builtInVariables];
+  return deduplicateVariableArray([
+    ...overridableTriggerVariables,
+    ...projectSecrets,
+    ...builtInVariables,
+  ]);
+}
+
+/** Later variables override earlier ones */
+export function deduplicateVariableArray(variables: EnvironmentVariable[]) {
+  const result: EnvironmentVariable[] = [];
+  // Process array in reverse order so later variables override earlier ones
+  for (const variable of [...variables].reverse()) {
+    if (!result.some((v) => v.key === variable.key)) {
+      result.push(variable);
+    }
+  }
+  // Reverse back to maintain original order but with later variables taking precedence
+  return result.reverse();
 }
 
 async function resolveOverridableTriggerVariables(
@@ -1020,3 +1032,42 @@ async function resolveCommonBuiltInVariables(
 ): Promise<Array<EnvironmentVariable>> {
   return [];
 }
+
+type VariableRule =
+  | { type: "exact"; key: string }
+  | { type: "prefix"; prefix: string }
+  | { type: "whitelist"; key: string };
+
+const blacklistedVariables: VariableRule[] = [
+  { type: "exact", key: "TRIGGER_SECRET_KEY" },
+  { type: "exact", key: "TRIGGER_API_URL" },
+  { type: "prefix", prefix: "OTEL_" },
+  { type: "whitelist", key: "OTEL_LOG_LEVEL" },
+];
+
+export function removeBlacklistedVariables(
+  variables: EnvironmentVariable[]
+): EnvironmentVariable[] {
+  return variables.filter((v) => {
+    const whitelisted = blacklistedVariables.find(
+      (bv) => bv.type === "whitelist" && bv.key === v.key
+    );
+    if (whitelisted) {
+      return true;
+    }
+
+    const exact = blacklistedVariables.find((bv) => bv.type === "exact" && bv.key === v.key);
+    if (exact) {
+      return false;
+    }
+
+    const prefix = blacklistedVariables.find(
+      (bv) => bv.type === "prefix" && v.key.startsWith(bv.prefix)
+    );
+    if (prefix) {
+      return false;
+    }
+
+    return true;
+  });
+}
diff --git a/apps/webapp/test/environmentVariableDeduplication.test.ts b/apps/webapp/test/environmentVariableDeduplication.test.ts
@@ -0,0 +1,64 @@
+import { describe, it, expect } from "vitest";
+import { deduplicateVariableArray } from "../app/v3/environmentVariables/environmentVariablesRepository.server";
+import type { EnvironmentVariable } from "../app/v3/environmentVariables/repository";
+
+describe("Deduplicate variables", () => {
+  it("should keep later variables when there are duplicates", () => {
+    const variables: EnvironmentVariable[] = [
+      { key: "API_KEY", value: "old_value" },
+      { key: "API_KEY", value: "new_value" },
+    ];
+
+    const result = deduplicateVariableArray(variables);
+
+    expect(result).toHaveLength(1);
+    expect(result[0]).toEqual({ key: "API_KEY", value: "new_value" });
+  });
+
+  it("should preserve order of unique variables", () => {
+    const variables: EnvironmentVariable[] = [
+      { key: "FIRST", value: "first" },
+      { key: "SECOND", value: "second" },
+      { key: "THIRD", value: "third" },
+    ];
+
+    const result = deduplicateVariableArray(variables);
+
+    expect(result).toHaveLength(3);
+    expect(result[0].key).toBe("FIRST");
+    expect(result[1].key).toBe("SECOND");
+    expect(result[2].key).toBe("THIRD");
+  });
+
+  it("should handle multiple duplicates with later values taking precedence", () => {
+    const variables: EnvironmentVariable[] = [
+      { key: "DB_URL", value: "old_db" },
+      { key: "API_KEY", value: "old_key" },
+      { key: "DB_URL", value: "new_db" },
+      { key: "API_KEY", value: "new_key" },
+    ];
+
+    const result = deduplicateVariableArray(variables);
+
+    expect(result).toHaveLength(2);
+    expect(result.find((v) => v.key === "DB_URL")?.value).toBe("new_db");
+    expect(result.find((v) => v.key === "API_KEY")?.value).toBe("new_key");
+  });
+
+  it("should handle empty array", () => {
+    const result = deduplicateVariableArray([]);
+    expect(result).toEqual([]);
+  });
+
+  it("should handle array with no duplicates", () => {
+    const variables: EnvironmentVariable[] = [
+      { key: "VAR1", value: "value1" },
+      { key: "VAR2", value: "value2" },
+    ];
+
+    const result = deduplicateVariableArray(variables);
+
+    expect(result).toHaveLength(2);
+    expect(result).toEqual(variables);
+  });
+});
diff --git a/apps/webapp/test/environmentVariableRules.test.ts b/apps/webapp/test/environmentVariableRules.test.ts
@@ -0,0 +1,112 @@
+import { describe, it, expect } from "vitest";
+import { removeBlacklistedVariables } from "../app/v3/environmentVariables/environmentVariablesRepository.server";
+import type { EnvironmentVariable } from "../app/v3/environmentVariables/repository";
+
+describe("removeBlacklistedVariables", () => {
+  it("should remove exact match blacklisted variables", () => {
+    const variables: EnvironmentVariable[] = [
+      { key: "TRIGGER_SECRET_KEY", value: "secret123" },
+      { key: "TRIGGER_API_URL", value: "https://api.example.com" },
+      { key: "NORMAL_VAR", value: "normal" },
+    ];
+
+    const result = removeBlacklistedVariables(variables);
+
+    expect(result).toEqual([{ key: "NORMAL_VAR", value: "normal" }]);
+  });
+
+  it("should remove variables with blacklisted prefixes", () => {
+    const variables: EnvironmentVariable[] = [
+      { key: "OTEL_SERVICE_NAME", value: "my-service" },
+      { key: "OTEL_TRACE_SAMPLER", value: "always_on" },
+      { key: "NORMAL_VAR", value: "normal" },
+    ];
+
+    const result = removeBlacklistedVariables(variables);
+
+    expect(result).toEqual([{ key: "NORMAL_VAR", value: "normal" }]);
+  });
+
+  it("should keep whitelisted variables even if they match a blacklisted prefix", () => {
+    const variables: EnvironmentVariable[] = [
+      { key: "OTEL_LOG_LEVEL", value: "debug" },
+      { key: "OTEL_SERVICE_NAME", value: "my-service" },
+      { key: "NORMAL_VAR", value: "normal" },
+    ];
+
+    const result = removeBlacklistedVariables(variables);
+
+    expect(result).toEqual([
+      { key: "OTEL_LOG_LEVEL", value: "debug" },
+      { key: "NORMAL_VAR", value: "normal" },
+    ]);
+  });
+
+  it("should handle empty input array", () => {
+    const variables: EnvironmentVariable[] = [];
+
+    const result = removeBlacklistedVariables(variables);
+
+    expect(result).toEqual([]);
+  });
+
+  it("should handle mixed case variables", () => {
+    const variables: EnvironmentVariable[] = [
+      { key: "trigger_secret_key", value: "secret123" }, // Different case
+      { key: "OTEL_LOG_LEVEL", value: "debug" },
+      { key: "otel_service_name", value: "my-service" }, // Different case
+      { key: "NORMAL_VAR", value: "normal" },
+    ];
+
+    const result = removeBlacklistedVariables(variables);
+
+    // Should keep only the whitelisted OTEL_LOG_LEVEL and NORMAL_VAR
+    // Note: The function is case-sensitive, so different case variables should pass through
+    expect(result).toEqual([
+      { key: "trigger_secret_key", value: "secret123" },
+      { key: "OTEL_LOG_LEVEL", value: "debug" },
+      { key: "otel_service_name", value: "my-service" },
+      { key: "NORMAL_VAR", value: "normal" },
+    ]);
+  });
+
+  it("should handle variables with empty values", () => {
+    const variables: EnvironmentVariable[] = [
+      { key: "TRIGGER_SECRET_KEY", value: "" },
+      { key: "OTEL_SERVICE_NAME", value: "" },
+      { key: "OTEL_LOG_LEVEL", value: "" },
+      { key: "NORMAL_VAR", value: "" },
+    ];
+
+    const result = removeBlacklistedVariables(variables);
+
+    expect(result).toEqual([
+      { key: "OTEL_LOG_LEVEL", value: "" },
+      { key: "NORMAL_VAR", value: "" },
+    ]);
+  });
+
+  it("should handle all types of rules in a single array", () => {
+    const variables: EnvironmentVariable[] = [
+      // Exact matches (should be removed)
+      { key: "TRIGGER_SECRET_KEY", value: "secret123" },
+      { key: "TRIGGER_API_URL", value: "https://api.example.com" },
+      // Prefix matches (should be removed)
+      { key: "OTEL_SERVICE_NAME", value: "my-service" },
+      { key: "OTEL_TRACE_SAMPLER", value: "always_on" },
+      // Whitelist exception (should be kept)
+      { key: "OTEL_LOG_LEVEL", value: "debug" },
+      // Normal variables (should be kept)
+      { key: "NORMAL_VAR", value: "normal" },
+      { key: "DATABASE_URL", value: "postgres://..." },
+    ];
+
+    const result = removeBlacklistedVariables(variables);
+
+    expect(result).toEqual([
+      { key: "OTEL_LOG_LEVEL", value: "debug" },
+      { key: "NORMAL_VAR", value: "normal" },
+      { key: "DATABASE_URL", value: "postgres://..." },
+    ]);
+  });
+});
