Fix potential controller sensitive data exposure by sprig template functions (#1703)

<!--
Before you open the request please review the following guidelines and
tips to help it be more easily integrated:

 - Describe the scope of your change - i.e. what the change does.
 - Describe any known limitations with your change.
- Please run any tests or examples that can exercise your modified code.

Thank you for contributing! We will try to test and integrate the change
as soon as we can, but be aware we have many GitHub repositories to
manage and can't immediately respond to every request. There is no need
to bump or check in on a pull request (it will clutter the discussion of
the request).

Also don't be worried if the request is closed or not integrated
sometimes the priorities of Bitnami might not match the priorities of
the pull request. Don't fret, the open source community thrives on forks
and GitHub makes it easy to keep your changes in a forked repo.
 -->

**Description of the change**

Fixing potential controller environment exposure by removing some sprig
template functions:
- `env`, `expandenv` - controller environment variables exposure (which
can contain sensitive data)
- `getHostByName` - add possibility to resolve dns entries from
templates, which is not secure in some cases

This potential exposure is added by PR #1542 where security risks was
described in "possible drawbacks" section.

Also, sprig func map is now initialized due module initialization and
reusing for rendering, which may improve performance.

In fact is just port of the
[argocd](https://github.com/argoproj/argo-cd/blob/v2.11.3/applicationset/utils/utils.go#L31-L34)
solution, which described in initial PR #1542

**Benefits**

- Fix potential controller sensitive data exposure
- Improve rendering performance

**Possible drawbacks**

No one

**Applicable issues**

<!-- Enter any applicable Issues here (You can reference an issue using
#) -->

**Additional information**

<!-- If there's anything else that's important and relevant to your pull
request, mention that information here.-->

Signed-off-by: Artur Kraev <[email protected]>

Author: RaveNoX

README.md

@@ -117,7 +117,7 @@ In particular, the annotations and labels of a `SealedSecret` resource are not t
 
 To capture this distinction, the `SealedSecret` object has a `template` section which encodes all the fields you want the controller to put in the unsealed `Secret`.
 
-The [Sprig function library](https://masterminds.github.io/sprig/) is available in addition to the default Go Text Template functions.
+The [Sprig function library](https://masterminds.github.io/sprig/) is available (except for `env`, `expandenv` and `getHostByName`) in addition to the default Go Text Template functions.
 
 The `metadata` block is copied as is (the `ownerReference` field will be updated [unless disabled](#seal-secret-which-can-skip-set-owner-references)).
 

pkg/apis/sealedsecrets/v1alpha1/sealedsecret_expansion.go

@@ -35,8 +35,17 @@ const (
 var (
 	// TODO(mkm): remove after a release.
 	AcceptDeprecatedV1Data = false
+
+	sprigFuncMap = sprig.GenericFuncMap() // a singleton for better performance
 )
 
+func init() {
+	// Avoid allowing the user to learn things about the environment.
+	delete(sprigFuncMap, "env")
+	delete(sprigFuncMap, "expandenv")
+	delete(sprigFuncMap, "getHostByName")
+}
+
 // SealedSecretExpansion has methods to work with SealedSecrets resources.
 type SealedSecretExpansion interface {
 	Unseal(codecs runtimeserializer.CodecFactory, privKeys map[string]*rsa.PrivateKey) (*v1.Secret, error)
@@ -291,7 +300,8 @@ func (s *SealedSecret) Unseal(codecs runtimeserializer.CodecFactory, privKeys ma
 
 		for key, value := range s.Spec.Template.Data {
 			var plaintext bytes.Buffer
-			template, err := template.New(key).Funcs(sprig.FuncMap()).Parse(value)
+
+			template, err := template.New(key).Funcs(sprigFuncMap).Parse(value)
 			if err != nil {
 				errs = append(errs, multierror.Tag(key, err))
 				continue