From eacc55142f4574a63c0902e1d29382a55bc483f8 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 10 Nov 2023 14:46:16 +0000 Subject: [PATCH 1/3] Default to sanitizing newlines in secrets --- root/etc/s6-overlay/s6-rc.d/init-envfile/run | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/run b/root/etc/s6-overlay/s6-rc.d/init-envfile/run index 5dbf809..6c1e524 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-envfile/run +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/run @@ -1,17 +1,19 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -if find /run/s6/container_environment/*"FILE__"* -maxdepth 1 > /dev/null 2>&1; then - for FILENAME in /run/s6/container_environment/*; do - if [[ "${FILENAME##*/}" == "FILE__"* ]]; then +if find /run/s6/container_environment/FILE__* -maxdepth 1 > /dev/null 2>&1; then + for FILENAME in /run/s6/container_environment/FILE__*; do SECRETFILE=$(cat "${FILENAME}") if [[ -f ${SECRETFILE} ]]; then FILESTRIP=${FILENAME//FILE__/} - cat "${SECRETFILE}" >"${FILESTRIP}" + if [[ ${SECRET_NO_SANITIZE,,} = "true" ]]; then + cat "${SECRETFILE}" >"${FILESTRIP}" + else + tr -d '\n' < "${SECRETFILE}" >"${FILESTRIP}" + fi echo "[env-init] ${FILESTRIP##*/} set from ${FILENAME##*/}" else echo "[env-init] cannot find secret in ${FILENAME##*/}" fi - fi done fi From 4e98e3d93aafde9df72add831731041ddc34ccf8 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sat, 11 Nov 2023 10:38:51 +0000 Subject: [PATCH 2/3] Warn rather than sanitize --- root/etc/s6-overlay/s6-rc.d/init-envfile/run | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/run b/root/etc/s6-overlay/s6-rc.d/init-envfile/run index 6c1e524..cc1b62e 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-envfile/run +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/run @@ -6,11 +6,11 @@ if find /run/s6/container_environment/FILE__* -maxdepth 1 > /dev/null 2>&1; then SECRETFILE=$(cat "${FILENAME}") if [[ -f ${SECRETFILE} ]]; then FILESTRIP=${FILENAME//FILE__/} - if [[ ${SECRET_NO_SANITIZE,,} = "true" ]]; then - cat "${SECRETFILE}" >"${FILESTRIP}" - else - tr -d '\n' < "${SECRETFILE}" >"${FILESTRIP}" + if [[ $(tail -n1 "${SECRETFILE}" | wc -l) = 1 ]]; then + echo "[env-init] Your secret: ${FILENAME##*/}" + echo " contains a trailing newline and may not work as expected" fi + cat "${SECRETFILE}" >"${FILESTRIP}" echo "[env-init] ${FILESTRIP##*/} set from ${FILENAME##*/}" else echo "[env-init] cannot find secret in ${FILENAME##*/}" From 59693fa2e2079ac4bb40859cebcf9bf214c1b664 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sat, 11 Nov 2023 20:02:46 +0000 Subject: [PATCH 3/3] !0 instead of 1 --- root/etc/s6-overlay/s6-rc.d/init-envfile/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/run b/root/etc/s6-overlay/s6-rc.d/init-envfile/run index cc1b62e..592df52 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-envfile/run +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/run @@ -6,7 +6,7 @@ if find /run/s6/container_environment/FILE__* -maxdepth 1 > /dev/null 2>&1; then SECRETFILE=$(cat "${FILENAME}") if [[ -f ${SECRETFILE} ]]; then FILESTRIP=${FILENAME//FILE__/} - if [[ $(tail -n1 "${SECRETFILE}" | wc -l) = 1 ]]; then + if [[ $(tail -n1 "${SECRETFILE}" | wc -l) != 0 ]]; then echo "[env-init] Your secret: ${FILENAME##*/}" echo " contains a trailing newline and may not work as expected" fi