Skip to content
Snippets Groups Projects
Commit bfedfebf authored by timothycarambat's avatar timothycarambat
Browse files

security: force sanitize env string set by user

parent 2374939f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
server/utils/helpers/updateENV.js
+ 11
3
View file @ bfedfebf
...@@ -564,6 +564,16 @@ async function dumpENV() { ...@@ -564,6 +564,16 @@ async function dumpENV() {
"DISABLE_TELEMETRY", "DISABLE_TELEMETRY",
]; ];
// Simple sanitization of each value to prevent ENV injection via newline or quote escaping.
function sanitizeValue(value) {
const offendingChars =
/[\n\r\t\v\f\u0085\u00a0\u1680\u180e\u2000-\u200a\u2028\u2029\u202f\u205f\u3000"'`#]/;
const firstOffendingCharIndex = value.search(offendingChars);
if (firstOffendingCharIndex === -1) return value;
return value.substring(0, firstOffendingCharIndex);
}
for (const key of protectedKeys) { for (const key of protectedKeys) {
const envValue = process.env?.[key] || null; const envValue = process.env?.[key] || null;
if (!envValue) continue; if (!envValue) continue;
...@@ -572,9 +582,7 @@ async function dumpENV() { ...@@ -572,9 +582,7 @@ async function dumpENV() {
var envResult = `# Auto-dump ENV from system call on ${new Date().toTimeString()}\n`; var envResult = `# Auto-dump ENV from system call on ${new Date().toTimeString()}\n`;
envResult += Object.entries(frozenEnvs) envResult += Object.entries(frozenEnvs)
.map(([key, value]) => { .map(([key, value]) => `${key}='${sanitizeValue(value)}'`)
return `${key}='${value}'`;
})
.join("\n"); .join("\n");
const envPath = path.join(__dirname, "../../.env"); const envPath = path.join(__dirname, "../../.env");
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

:feet::heart: Strive to be the person your dogs believe you are :heart::feet: