Fix potential controller sensitive data exposure by sprig template functions

README.md

@@ -117,7 +117,7 @@ In particular, the annotations and labels of a `SealedSecret` resource are not t
 
 To capture this distinction, the `SealedSecret` object has a `template` section which encodes all the fields you want the controller to put in the unsealed `Secret`.
 
-The [Sprig function library](https://masterminds.github.io/sprig/) is available in addition to the default Go Text Template functions.
+The [Sprig function library](https://masterminds.github.io/sprig/) is available (except for `env`, `expandenv` and `getHostByName`) in addition to the default Go Text Template functions.
 
 The `metadata` block is copied as is (the `ownerReference` field will be updated [unless disabled](#seal-secret-which-can-skip-set-owner-references)).
 

pkg/apis/sealedsecrets/v1alpha1/sealedsecret_expansion.go

@@ -35,8 +35,17 @@ const (
 var (
 	// TODO(mkm): remove after a release.
 	AcceptDeprecatedV1Data = false
+
+	sprigFuncMap = sprig.GenericFuncMap() // a singleton for better performance
 )
 
+func init() {
+	// Avoid allowing the user to learn things about the environment.
+	delete(sprigFuncMap, "env")
+	delete(sprigFuncMap, "expandenv")
+	delete(sprigFuncMap, "getHostByName")
+}
+
 // SealedSecretExpansion has methods to work with SealedSecrets resources.
 type SealedSecretExpansion interface {
 	Unseal(codecs runtimeserializer.CodecFactory, privKeys map[string]*rsa.PrivateKey) (*v1.Secret, error)
@@ -291,7 +300,8 @@ func (s *SealedSecret) Unseal(codecs runtimeserializer.CodecFactory, privKeys ma
 
 		for key, value := range s.Spec.Template.Data {
 			var plaintext bytes.Buffer
-			template, err := template.New(key).Funcs(sprig.FuncMap()).Parse(value)
+
+			template, err := template.New(key).Funcs(sprigFuncMap).Parse(value)
 			if err != nil {
 				errs = append(errs, multierror.Tag(key, err))
 				continue