Apply repo settings: Disable loading env files as well as merging from other sources (#2077)

* Apply repo settings: Disable loading env files as well as merging from other sources. * Add warning in case of exception of failed Dynaconf init * code suggestion * Missing e
2025-12-11 18:35:18 +00:00 · 2025-10-22 08:53:16 +03:00 · 2025-10-22 08:53:16 +03:00 · f2bbf708f2
commit f2bbf708f2
parent 5f8ac3d8cf
1 changed files with 21 additions and 1 deletions
--- a/pr_agent/git_providers/utils.py
+++ b/pr_agent/git_providers/utils.py
@ -35,8 +35,28 @@ def apply_repo_settings(pr_url):
                try:
                    fd, repo_settings_file = tempfile.mkstemp(suffix='.toml')
                    os.write(fd, repo_settings)
-                    new_settings = Dynaconf(settings_files=[repo_settings_file])
+
+                    try:
+                        new_settings = Dynaconf(settings_files=[repo_settings_file],
+                                                # Disable all dynamic loading features
+                                                load_dotenv=False,  # Don't load .env files
+                                                merge_enabled=False,  # Don't allow merging from other sources
+                                                )
+                    except TypeError as e:
+                        import traceback
+                        # Fallback for older Dynaconf versions that don't support these parameters
+                        get_logger().warning(
+                            "Your Dynaconf version does not support disabled 'load_dotenv'/'merge_enabled' parameters. "
+                            "Loading repo settings without these security features. "
+                            "Please upgrade Dynaconf for better security.",
+                            artifact={"error": e, "traceback": traceback.format_exc()})
+                        new_settings = Dynaconf(settings_files=[repo_settings_file])
+
                    for section, contents in new_settings.as_dict().items():
+                        if not contents:
+                            # Skip excluded items, such as forbidden to load env.
+                            get_logger().debug(f"Skipping a section: {section} which is not allowed")
+                            continue
                        section_dict = copy.deepcopy(get_settings().as_dict().get(section, {}))
                        for key, value in contents.items():
                            section_dict[key] = value