From df2b76aee135975c38e4cb884b87bcc492da32a6 Mon Sep 17 00:00:00 2001 From: Donal McBreen Date: Tue, 12 Sep 2023 13:56:08 +0100 Subject: [PATCH] Escape newlines in docker env files When env variables were passed via `-e` newlines were escaped. This updates the env file to do the same thing. --- lib/kamal/utils.rb | 13 ++++++++----- test/utils_test.rb | 24 ++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/lib/kamal/utils.rb b/lib/kamal/utils.rb index c61d4cf8a..ec98f3c82 100644 --- a/lib/kamal/utils.rb +++ b/lib/kamal/utils.rb @@ -92,6 +92,13 @@ def escape_shell_value(value) .gsub(DOLLAR_SIGN_WITHOUT_SHELL_EXPANSION_REGEX, '\$') end + # Escape a value to make it safe to dump in a docker file. + def escape_docker_env_file_value(value) + # Doublequotes are treated literally in docker env files + # so remove leading and trailing ones and unescape any others + value.to_s.dump[1..-2].gsub(/\\"/, "\"") + end + # Abbreviate a git revhash for concise display def abbreviate_version(version) if version @@ -109,10 +116,6 @@ def uncommitted_changes end def docker_env_file_line(key, value) - if key.include?("\n") || value.to_s.include?("\n") - raise ArgumentError, "docker env file format does not support newlines in keys or values, key: #{key}" - end - - "#{key.to_s}=#{value.to_s}\n" + "#{key.to_s}=#{escape_docker_env_file_value(value)}\n" end end diff --git a/test/utils_test.rb b/test/utils_test.rb index 3edfe8f5c..b268fb0fe 100644 --- a/test/utils_test.rb +++ b/test/utils_test.rb @@ -49,6 +49,30 @@ class UtilsTest < ActiveSupport::TestCase ENV.delete "PASSWORD" end + test "env file secret escaped newline" do + ENV["PASSWORD"] = "hello\\nthere" + env = { + "secret" => [ "PASSWORD" ] + } + + assert_equal "PASSWORD=hello\\\\nthere\n", \ + Kamal::Utils.env_file_with_secrets(env) + ensure + ENV.delete "PASSWORD" + end + + test "env file secret newline" do + ENV["PASSWORD"] = "hello\nthere" + env = { + "secret" => [ "PASSWORD" ] + } + + assert_equal "PASSWORD=hello\\nthere\n", \ + Kamal::Utils.env_file_with_secrets(env) + ensure + ENV.delete "PASSWORD" + end + test "env file missing secret" do env = { "secret" => [ "PASSWORD" ]