envsubst: remove explicit subst of exported vars

For nginx config, a new approach is implemented with perl. This is because unrestricted use of `envsubst` on nginx config files will replace nginx variables like $host, $request_uri with an empty string. Closes getodk#473
alxndrsn · Dec 6, 2024 · 612e9e7 · 612e9e7
1 parent 5bb4def
commit 612e9e7
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/files/enketo/start-enketo.sh b/files/enketo/start-enketo.sh
@@ -7,7 +7,7 @@ BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https:
 SECRET=$(cat /etc/secrets/enketo-secret) \
 LESS_SECRET=$(cat /etc/secrets/enketo-less-secret) \
 API_KEY=$(cat /etc/secrets/enketo-api-key) \
-envsubst '$DOMAIN $BASE_URL $SECRET $LESS_SECRET $API_KEY $SUPPORT_EMAIL' \
+envsubst \
     < "$CONFIG_PATH.template" \
     > "$CONFIG_PATH"
 

diff --git a/files/nginx/setup-odk.sh b/files/nginx/setup-odk.sh
@@ -1,5 +1,12 @@
 #!/bin/bash
 
+nginx_envsubst() {
+  # Re-implementation of envsubst which is safe to call on nginx config files.
+  # This fn only substitutes variables in the form ${CAPS_AND_UNDERSCORES},
+  # allowing nginx variables like $host, $request_uri etc. through unmodified.
+  perl -pe 's/\$\{([A-Z_]*)\}/$ENV{$1}/g'
+}
+
 
 echo "writing client config..."
 if [[ $OIDC_ENABLED != 'true' ]] && [[ $OIDC_ENABLED != 'false' ]]; then
@@ -31,7 +38,7 @@ echo "writing fresh nginx templates..."
 cp /usr/share/odk/nginx/redirector.conf /etc/nginx/conf.d/redirector.conf
 
 CNAME=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \
-envsubst '$SSL_TYPE $CNAME $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
+nginx_envsubst \
   < /usr/share/odk/nginx/odk.conf.template \
   > /etc/nginx/conf.d/odk.conf
 

diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh
@@ -4,7 +4,7 @@ echo "generating local service configuration.."
 
 ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \
 BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \
-envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_ISSUER_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT $S3_SERVER $S3_ACCESS_KEY $S3_SECRET_KEY $S3_BUCKET_NAME' \
+envsubst \
     < /usr/share/odk/config.json.template \
     > /usr/odk/config/local.json