Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape secrets in inline command substitution #1008

Closed
wants to merge 1 commit into from
Closed

Escape secrets in inline command substitution #1008

wants to merge 1 commit into from

Conversation

djmb
Copy link
Collaborator

@djmb djmb commented Sep 30, 2024

Kamal "inlines" calls to kamal secrets in the dotenv file, but the results of the calls were not being escaped properly. To "fix" this kamal secrets fetch escaped the JSON string before returning it.

The two errors cancelled out, but it meant that the commands didn't work from a shell.

To fix, we'll escape the inline command results and remove the escaping from kamal secrets fetch.

Fixes #1007

@djmb
Escape secrets in inline command substitution
ff24fd9 
Kamal "inlines" calls to `kamal secrets` in the dotenv file, but the
results of the calls were not being escaped properly. To "fix" this
`kamal secrets fetch` escaped the JSON string before returning it.

The two errors cancelled out, but it meant that the commands didn't
work from a shell.

To fix, we'll escape the inline command results and remove the escaping
from `kamal secrets fetch`.
@djmb djmb mentioned this pull request Sep 30, 2024
Open
@djmb
Copy link
Collaborator Author

djmb commented Sep 30, 2024

No this won't work.

The dotenv gem needs the escaped output from kamal secrets fetch function correctly - it's not behaving exactly the same as a shell would. Escaping the output of the "inlined" kamal secrets commands kind of works around that, but it means that the inlined commands don't work the same a a non inlined version would.

So the problem here is that dotenv and the shell are out of sync. I think maybe the best thing to do is add a kamal secrets print command that can be used when debugging secrets so you don't need to run the commands directly from the command line.

@djmb
Copy link
Collaborator Author

djmb commented Sep 30, 2024

Closing in favour of #1009

@djmb djmb closed this Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

kamal secrets extract JSON parse error on shell escaped secrets
1 participant
@djmb