johba/disinto
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: johba:842e529004a10818053143d3aff22badaab4d721
Branches Tags
johba:main
johba:fix/issue-14
johba:fix/issue-21
johba:v0.1.0
..
compare: johba:16b0a9a318f2760ed12a2961c0523eac231e486c
Branches Tags
johba:main
johba:fix/issue-14
johba:fix/issue-21
johba:v0.1.0

No commits in common. "842e529004a10818053143d3aff22badaab4d721" and "16b0a9a318f2760ed12a2961c0523eac231e486c" have entirely different histories.
842e529004 ... 16b0a9a318

1 changed files with 16 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

36
lib/env.sh
View file

@ -30,27 +30,23 @@ if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
_saved_forge_url="${FORGE_URL:-}" _saved_forge_url="${FORGE_URL:-}"
_saved_forge_token="${FORGE_TOKEN:-}" _saved_forge_token="${FORGE_TOKEN:-}"
# Use temp file + validate dotenv format before sourcing (avoids eval injection) # Use temp file + validate dotenv format before sourcing (avoids eval injection)
# SOPS -d automatically verifies MAC/GCM authentication tag during decryption _tmpenv=$(mktemp) || { echo "Warning: failed to create temp file for .env.enc" >&2; exit 1; }
_tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; } if sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then
if ! sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then # Validate: non-empty, non-comment lines must match KEY=value pattern
echo "Error: failed to decrypt .env.enc — decryption failed, possible corruption" >&2 # Filter out blank lines and comments before validation
rm -f "$_tmpenv" _validated=$(grep -E '^[A-Za-z_][A-Za-z0-9_]*=' "$_tmpenv" 2>/dev/null || true)
exit 1 if [ -n "$_validated" ]; then
fi # Write validated content to a second temp file and source it
# Validate: non-empty, non-comment lines must match KEY=value pattern _validated_env=$(mktemp)
# Filter out blank lines and comments before validation printf '%s\n' "$_validated" > "$_validated_env"
_validated=$(grep -E '^[A-Za-z_][A-Za-z0-9_]*=' "$_tmpenv" 2>/dev/null || true) # shellcheck source=/dev/null
if [ -n "$_validated" ]; then source "$_validated_env"
# Write validated content to a second temp file and source it rm -f "$_validated_env"
_validated_env=$(mktemp) else
printf '%s\n' "$_validated" > "$_validated_env" echo "Warning: .env.enc decryption output failed format validation" >&2
# shellcheck source=/dev/null fi
source "$_validated_env"
rm -f "$_validated_env"
else else
echo "Error: .env.enc decryption output failed format validation" >&2 echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
rm -f "$_tmpenv"
exit 1
fi fi
rm -f "$_tmpenv" rm -f "$_tmpenv"
set +a set +a