Skip to content

ini: use envsubst#702

Merged
DannyBen merged 2 commits intobashly-framework:masterfrom
wfleurant:fix/ini-envsubst-safe-expansion
Mar 16, 2026
Merged

ini: use envsubst#702
DannyBen merged 2 commits intobashly-framework:masterfrom
wfleurant:fix/ini-envsubst-safe-expansion

Conversation

@wfleurant
Copy link
Contributor

@wfleurant wfleurant commented Mar 16, 2026

eval was prob used to expand $VAR refs ini values ie: path = $HOME/.config

reason for this patch: if say the ini is updated via session_token or user_input then think of backticks or $() or ! in user_input_pw

envsubst would continue to expand available env vars

unknown vars become empty strings
so key=val of "credentials=user:${NONEXISTENT}" becomes "credentials=user:"

if a token or password contains $ .. itll be silently empty and literal but at least not executed

  • Known env var: ($HOME) is expanded (OK)
  • Unknown env var: ($NONEXISTENT) becomes EMPTY STRING
  • string with bang: (!) is passed through as is (OK)
  • backticks or exec: (`) or ($()) is passwd through as is (OK)

wfleurant and others added 2 commits March 16, 2026 12:36
@wfleurant
ini: use envsubst
e6d64fa 
eval was prob used to expand $VAR refs ini values ie: path =
$HOME/.config

reason for this patch: if say the ini is updated via session_token or
user_input then think of backticks or $() or ! in user_input_pw

envsubst would continue to expand available env vars

unknown vars become empty strings
so key=val of "credentials=user:${NONEXISTENT}" becomes
"credentials=user:"

if a token or password contains $ .. itll be silently empty and literal
but at least not executed

- Known env var: ($HOME) is expanded (OK)
- Unknown env var: ($NONEXISTENT) becomes EMPTY STRING
- string with bang: (!) is passed through as is (OK)
- backticks or exec: (`) or ($()) is passwd through as is (OK)
@DannyBen
fix shfmt
494b191
@DannyBen DannyBen added this to the 1.3.7 milestone Mar 16, 2026
@DannyBen
Copy link
Member

DannyBen commented Mar 16, 2026

Thank you. Acceptable change.
I will merge once the tests pass.

@DannyBen DannyBen merged commit 7786cd2 into bashly-framework:master Mar 16, 2026
11 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.3.7

Development

Successfully merging this pull request may close these issues.

2 participants

@wfleurant @DannyBen