OCI spec may contain duplicate environment variables

Closes #5226

PiperOrigin-RevId: 351259576

1 files changed, 10 insertions, 1 deletions

diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index f41d6c665..d7afd3dc1 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -440,6 +440,10 @@ func createProcessArgs(id string, spec *specs.Spec, creds *auth.Credentials, k *
 	if err != nil {
 		return kernel.CreateProcessArgs{}, fmt.Errorf("creating limits: %v", err)
 	}
+	env, err := specutils.ResolveEnvs(spec.Process.Env)
+	if err != nil {
+		return kernel.CreateProcessArgs{}, fmt.Errorf("resolving env: %w", err)
+	}
 
 	wd := spec.Process.Cwd
 	if wd == "" {
@@ -449,7 +453,7 @@ func createProcessArgs(id string, spec *specs.Spec, creds *auth.Credentials, k *
 	// Create the process arguments.
 	procArgs := kernel.CreateProcessArgs{
 		Argv:                    spec.Process.Args,
-		Envv:                    spec.Process.Env,
+		Envv:                    env,
 		WorkingDirectory:        wd,
 		Credentials:             creds,
 		Umask:                   0022,
@@ -933,6 +937,11 @@ func (l *Loader) executeAsync(args *control.ExecArgs) (kernel.ThreadID, error) {
 		}
 	}
 
+	args.Envv, err = specutils.ResolveEnvs(args.Envv)
+	if err != nil {
+		return 0, fmt.Errorf("resolving env: %w", err)
+	}
+
 	// Add the HOME environment variable if it is not already set.
 	if kernel.VFS2Enabled {
 		root := args.MountNamespaceVFS2.Root()