Changes to prevent the use of method find_dotenv (#429)

* Changes to prevent the use of method find_dotenv * updated changelog to include the removal of the usage of dotenv.finddotenv * Update to version for extractor-utils * Fix for mypy check failing * Changes suggested in the PR related to the version and the changelog phrasing --------- Co-authored-by: Nithin Bodanapu <[email protected]>
cognitedata · Feb 27, 2025 · eaffda2 · eaffda2
1 parent 050b6fe
commit eaffda2
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,12 @@ Changes are grouped as follows
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+## 7.5.13
+
+### Security
+
+* Disabled recursive search for .env file. The change will prevent loading environment variables hosted in directories other than the current working directory. Environment variable management is now more explicit to enhance security, and reduce potential misconfigurations.
+
 ## 7.5.12
 
 ## Added

diff --git a/cognite/extractorutils/__init__.py b/cognite/extractorutils/__init__.py
@@ -16,7 +16,7 @@
 Cognite extractor utils is a Python package that simplifies the development of new extractors.
 """
 
-__version__ = "7.5.12"
+__version__ = "7.5.13"
 from .base import Extractor
 
 __all__ = ["Extractor"]
diff --git a/cognite/extractorutils/base.py b/cognite/extractorutils/base.py
@@ -22,7 +22,7 @@
 from types import TracebackType
 from typing import Any, Generic, TypeVar
 
-from dotenv import find_dotenv, load_dotenv
+from dotenv import load_dotenv
 
 from cognite.client import CogniteClient
 from cognite.client.data_classes import ExtractionPipeline, ExtractionPipelineRun
@@ -252,12 +252,11 @@ def __enter__(self) -> "Extractor":
 
         if str(os.getenv("COGNITE_FUNCTION_RUNTIME", False)).lower() != "true":
             # Environment Variables
-            env_file_path = find_dotenv(usecwd=True)
-            if env_file_path:
-                load_dotenv(dotenv_path=env_file_path, override=True)
-                dotenv_message = f"Successfully ingested environment variables from {env_file_path}"
+            env_file_found = load_dotenv(dotenv_path="./.env", override=True)
+            if env_file_found:
+                dotenv_message = "Successfully ingested environment variables from './.env'"
             else:
-                dotenv_message = "No .env file found"
+                dotenv_message = "No .env file found at {Path.cwd() / '.env'}"
         else:
             dotenv_message = "No .env file imported when using Cognite Functions"
 

diff --git a/cognite/extractorutils/configtools/loaders.py b/cognite/extractorutils/configtools/loaders.py
@@ -69,7 +69,7 @@ def __init__(self, config: dict | None):
         self.client: SecretClient | None = None
 
     def _init_client(self) -> None:
-        from dotenv import find_dotenv, load_dotenv
+        from dotenv import load_dotenv
 
         if not self.config:
             raise InvalidConfigError(
@@ -98,8 +98,10 @@ def _init_client(self) -> None:
 
             _logger.info("Using Azure ClientSecret credentials to access KeyVault")
 
-            dotenv_path = find_dotenv(usecwd=True)
-            load_dotenv(dotenv_path=dotenv_path, override=True)
+            env_file_found = load_dotenv("./.env", override=True)
+
+            if not env_file_found:
+                _logger.info(f"Local environment file not found at {Path.cwd() / '.env'}")
 
             if all(param in self.config for param in auth_parameters):
                 tenant_id = os.path.expandvars(self.config.get("tenant-id", None))

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "cognite-extractor-utils"
-version = "7.5.12"
+version = "7.5.13"
 description = "Utilities for easier development of extractors for CDF"
 authors = [
     {name = "Mathias Lohne", email = "[email protected]"}