From f2bbf708f2ffcfd6b37294c4cf5c0e9b7872a17e Mon Sep 17 00:00:00 2001 From: sharoneyal Date: Wed, 22 Oct 2025 08:53:16 +0300 Subject: [PATCH] Apply repo settings: Disable loading env files as well as merging from other sources (#2077) * Apply repo settings: Disable loading env files as well as merging from other sources. * Add warning in case of exception of failed Dynaconf init * code suggestion * Missing e --- pr_agent/git_providers/utils.py | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/pr_agent/git_providers/utils.py b/pr_agent/git_providers/utils.py index 0cfbe116..beec155d 100644 --- a/pr_agent/git_providers/utils.py +++ b/pr_agent/git_providers/utils.py @@ -35,8 +35,28 @@ def apply_repo_settings(pr_url): try: fd, repo_settings_file = tempfile.mkstemp(suffix='.toml') os.write(fd, repo_settings) - new_settings = Dynaconf(settings_files=[repo_settings_file]) + + try: + new_settings = Dynaconf(settings_files=[repo_settings_file], + # Disable all dynamic loading features + load_dotenv=False, # Don't load .env files + merge_enabled=False, # Don't allow merging from other sources + ) + except TypeError as e: + import traceback + # Fallback for older Dynaconf versions that don't support these parameters + get_logger().warning( + "Your Dynaconf version does not support disabled 'load_dotenv'/'merge_enabled' parameters. " + "Loading repo settings without these security features. " + "Please upgrade Dynaconf for better security.", + artifact={"error": e, "traceback": traceback.format_exc()}) + new_settings = Dynaconf(settings_files=[repo_settings_file]) + for section, contents in new_settings.as_dict().items(): + if not contents: + # Skip excluded items, such as forbidden to load env. + get_logger().debug(f"Skipping a section: {section} which is not allowed") + continue section_dict = copy.deepcopy(get_settings().as_dict().get(section, {})) for key, value in contents.items(): section_dict[key] = value