johba/disinto
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

fix: SECURITY: SOPS decryption without integrity verification (#61)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details

Browse source 
- Add sops --verify to validate GCM ciphertext tag before decryption
- Treat all decryption failures as fatal errors (exit 1) instead of warnings
- Added integrity check comment for clarity
- Ensures tampered .env.enc files are rejected before use
This commit is contained in:
Agent 2026-03-31 18:59:04 +00:00
parent 16b0a9a318
commit 3a50badb01
1 changed files with 26 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

42
lib/env.sh
View file

@ -30,23 +30,33 @@ if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
_saved_forge_url="${FORGE_URL:-}" _saved_forge_url="${FORGE_URL:-}"
_saved_forge_token="${FORGE_TOKEN:-}" _saved_forge_token="${FORGE_TOKEN:-}"
# Use temp file + validate dotenv format before sourcing (avoids eval injection) # Use temp file + validate dotenv format before sourcing (avoids eval injection)
_tmpenv=$(mktemp) || { echo "Warning: failed to create temp file for .env.enc" >&2; exit 1; } _tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; }
if sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then # Verify SOPS metadata GCM ciphertext tag before decryption (integrity check)
# Validate: non-empty, non-comment lines must match KEY=value pattern if ! sops verify "$FACTORY_ROOT/.env.enc" &>/dev/null; then
# Filter out blank lines and comments before validation echo "Error: SOPS verification failed — .env.enc integrity check failed, possible tampering" >&2
_validated=$(grep -E '^[A-Za-z_][A-Za-z0-9_]*=' "$_tmpenv" 2>/dev/null || true) rm -f "$_tmpenv"
if [ -n "$_validated" ]; then exit 1
# Write validated content to a second temp file and source it fi
_validated_env=$(mktemp) # Decrypt to temp file
printf '%s\n' "$_validated" > "$_validated_env" if ! sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then
# shellcheck source=/dev/null echo "Error: failed to decrypt .env.enc — decryption failed, possible corruption" >&2
source "$_validated_env" rm -f "$_tmpenv"
rm -f "$_validated_env" exit 1
else fi
echo "Warning: .env.enc decryption output failed format validation" >&2 # Validate: non-empty, non-comment lines must match KEY=value pattern
fi # Filter out blank lines and comments before validation
_validated=$(grep -E '^[A-Za-z_][A-Za-z0-9_]*=' "$_tmpenv" 2>/dev/null || true)
if [ -n "$_validated" ]; then
# Write validated content to a second temp file and source it
_validated_env=$(mktemp)
printf '%s\n' "$_validated" > "$_validated_env"
# shellcheck source=/dev/null
source "$_validated_env"
rm -f "$_validated_env"
else else
echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2 echo "Error: .env.enc decryption output failed format validation" >&2
rm -f "$_tmpenv"
exit 1
fi fi
rm -f "$_tmpenv" rm -f "$_tmpenv"
set +a set +a