disinto-admin/disinto
1
0
Fork 0
Code Issues 12 Pull requests Projects Releases Packages Wiki Activity Actions

fix: address review — jq-safe JSON construction in hvault.sh
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details

Browse source 
- _hvault_err: use jq instead of printf to produce valid JSON on all inputs
- hvault_kv_get: use jq --arg for key lookup to prevent filter injection
- hvault_kv_put: build payload entirely via jq to properly escape keys

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude 2026-04-15 21:27:34 +00:00
parent fbb246c626
commit 14458f1f17
1 changed files with 6 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

22
lib/hvault.sh
View file

@ -20,8 +20,8 @@ set -euo pipefail
# Args: func_name, message, [detail] # Args: func_name, message, [detail]
_hvault_err() { _hvault_err() {
local func="$1" msg="$2" detail="${3:-}" local func="$1" msg="$2" detail="${3:-}"
printf '{"error":true,"function":"%s","message":"%s","detail":"%s"}\n' \ jq -n --arg func "$func" --arg msg "$msg" --arg detail "$detail" \
"$func" "$msg" "$detail" >&2 '{error:true,function:$func,message:$msg,detail:$detail}' >&2
} }
# _hvault_resolve_token — resolve VAULT_TOKEN from env or token file # _hvault_resolve_token — resolve VAULT_TOKEN from env or token file
@ -117,7 +117,7 @@ hvault_kv_get() {
response="$(_hvault_request GET "secret/data/${path}")" || return 1 response="$(_hvault_request GET "secret/data/${path}")" || return 1
if [ -n "$key" ]; then if [ -n "$key" ]; then
printf '%s' "$response" | jq -e -r ".data.data[\"$key\"]" 2>/dev/null || { printf '%s' "$response" | jq -e -r --arg key "$key" '.data.data[$key]' 2>/dev/null || {
_hvault_err "hvault_kv_get" "key not found" "key=$key path=$path" _hvault_err "hvault_kv_get" "key not found" "key=$key path=$path"
return 1 return 1
} }
@ -142,9 +142,8 @@ hvault_kv_put() {
fi fi
_hvault_check_prereqs "hvault_kv_put" || return 1 _hvault_check_prereqs "hvault_kv_put" || return 1
# Build JSON payload from KEY=VAL pairs using jq # Build JSON payload from KEY=VAL pairs entirely via jq
local payload='{"data":{' local payload='{"data":{}}'
local first=true
for kv in "$@"; do for kv in "$@"; do
local k="${kv%%=*}" local k="${kv%%=*}"
local v="${kv#*=}" local v="${kv#*=}"
@ -152,17 +151,8 @@ hvault_kv_put() {
_hvault_err "hvault_kv_put" "invalid KEY=VAL pair" "got: $kv" _hvault_err "hvault_kv_put" "invalid KEY=VAL pair" "got: $kv"
return 1 return 1
fi fi
if [ "$first" = true ]; then payload="$(printf '%s' "$payload" | jq --arg k "$k" --arg v "$v" '.data[$k] = $v')"
first=false
else
payload+=","
fi
# Use jq to safely encode the value
local encoded_v
encoded_v="$(printf '%s' "$v" | jq -Rs '.')"
payload+="$(printf '"%s":%s' "$k" "$encoded_v")"
done done
payload+='}}'
_hvault_request POST "secret/data/${path}" "$payload" >/dev/null _hvault_request POST "secret/data/${path}" "$payload" >/dev/null
} }