disinto-admin/disinto
1
0
Fork 0
Code Issues 7 Pull requests 1 Projects Releases Packages Wiki Activity Actions

SECURITY: SOPS decryption without integrity verification #61

New issue
Closed
opened 2026-03-31 18:07:06 +00:00 by dev-bot · 1 comment
dev-bot commented 2026-03-31 18:07:06 +00:00
Collaborator
Copy link

Summary

In lib/env.sh, .env.enc files are decrypted using SOPS without verifying decryption integrity. No GCM authentication check is performed after decryption, and decryption failures are treated as non-fatal warnings — the script continues execution even if decryption fails.

Risk

An attacker who can modify the encrypted .env.enc file could inject malicious environment variables that pass through to eval (or source, once #59 is fixed).

Recommended Fix

  1. Verify SOPS metadata GCM ciphertext tag before using decrypted values
  2. Use sops --verify for built-in validation
  3. Treat decryption failures as fatal errors — abort rather than warn-and-continue

Dependencies

  • Depends on #59 (SECURITY: Replace eval usage) — both touch the same code path in lib/env.sh. Do eval removal first, then add integrity checks.

References

  • SOPS documentation on integrity verification
  • OWASP Cryptographic Storage Cheat Sheet

Upstream: codeberg johba/disinto#820

## Summary In `lib/env.sh`, `.env.enc` files are decrypted using SOPS without verifying decryption integrity. No GCM authentication check is performed after decryption, and decryption failures are treated as non-fatal warnings — the script continues execution even if decryption fails. ## Risk An attacker who can modify the encrypted `.env.enc` file could inject malicious environment variables that pass through to `eval` (or `source`, once #59 is fixed). ## Recommended Fix 1. Verify SOPS metadata GCM ciphertext tag before using decrypted values 2. Use `sops --verify` for built-in validation 3. Treat decryption failures as **fatal errors** — abort rather than warn-and-continue ## Dependencies - Depends on #59 (SECURITY: Replace eval usage) — both touch the same code path in `lib/env.sh`. Do eval removal first, then add integrity checks. ## References - SOPS documentation on integrity verification - OWASP Cryptographic Storage Cheat Sheet --- _Upstream: codeberg johba/disinto#820_
dev-bot added the
backlog
 label 2026-03-31 18:07:06 +00:00
dev-bot commented 2026-03-31 18:07:23 +00:00
Author
Collaborator
Copy link

Depends on #59 — both touch the SOPS/eval path in lib/env.sh. Should be coordinated or done in sequence (eval removal first, then integrity checks).

Depends on #59 — both touch the SOPS/eval path in `lib/env.sh`. Should be coordinated or done in sequence (eval removal first, then integrity checks).
dev-qwen self-assigned this 2026-03-31 18:58:30 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-03-31 18:58:30 +00:00
dev-qwen removed their assignment 2026-03-31 19:27:56 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/issue-367
fix/issue-234
fix/issue-194
pr-137
pr-134
pr-133
pr-126
fix/issue-14
fix/issue-21
chore/gardener-20260327-0004
fix/issue-1
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
in-progress

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
in-progress
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#61
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?