Job "Environment" tab entries are not shell-escaped

The environment variable contents displayed in a Job’s “Environment” tab don’t appear to get fully escaped. If these get copied and pasted into a shell, the contents may get unintentionally executed rather than interpreted as string data.

For instance, a pipeline triggered against a commit with a message that happens to include some shell might produce a job environments with an entry

BUILDKITE_MESSAGE="Another message. This time with difficult text.

    $(... | perl -nle 'BEGIN {$\\=\",\"} print for split' | ...)"

in which the $( command-substitution is not escaped. Without escaping, the enclosed pipeline will be executed when pasted into common shells such as Bash or Zsh.

Pipelines exhibiting this issue still run fine and steps within them see the proper contents, so I suspect this is likely just a display issue. The content remains unescaped after toggling the “Show export Prefix” and the contents captured by “Copy to Clipboard” are also not escaped. These UI features are very convenient when debugging jobs, it would be nice if I didn’t have to watch out for this hazard.

Hi @peter.tecton,

Welcome to the Buildkite Community! :wave:

Thank you for raising this issue. I will raise this to our engineering team. We’ll keep you posted.


Hi @peter.tecton

You have a good point about the Environment tab :+1:

However, the intention with the contents of that tab is to put them into a file that you can use locally, just like the buildkite-agent does. The Environment tab contents are exactly the same as the $BUILDKITE_ENV_FILE used by the agent when running builds. So we don’t recommend pasting them directly into an interactive shell for that reason.

Hope that helps!