Skip to content

Added safe env wrapper while loading and processing YAML files#5

Closed
prabodh-panda wants to merge 1 commit intomainfrom
add-safe-env-wrapper
Closed

Added safe env wrapper while loading and processing YAML files#5
prabodh-panda wants to merge 1 commit intomainfrom
add-safe-env-wrapper

Conversation

@prabodh-panda
Copy link
Member

@prabodh-panda prabodh-panda commented Nov 2, 2025

neeto-bugwatch[bot]
neeto-bugwatch bot suggested changes Nov 2, 2025
View reviewed changes
Copy link

@neeto-bugwatch neeto-bugwatch bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 NeetoBugWatch Review

I've analyzed your pull request and found some potential improvements that might be worth considering. Please review the specific line comments below for helpful suggestions.

💡 To trigger a re-review of this PR, add a comment with the keyword neeto-bugwatch-run anywhere in the comment body.

lib/secvault/secrets.rb
erb_result = ERB.new(source).result
end

YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(erb_result) : YAML.safe_load(erb_result, aliases: true, permitted_classes: PERMITTED_YAML_CLASSES)
Copy link

@neeto-bugwatch neeto-bugwatch bot Nov 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Monkey-patching a global object like ENV is not thread-safe. If multiple threads execute this code concurrently (e.g., in a Puma server), it could lead to race conditions where one thread interferes with another's execution or leaves the ENV object in a corrupted state. A safer, thread-local approach would be to create a custom binding with a proxy object for ENV and pass it to ERB.new(source).result(binding). This would isolate the change without modifying global state.

lib/secvault/secrets.rb
def with_safe_env
original_env_method = ENV.method(:[])

ENV.define_singleton_method(:[]) do |key|
Copy link

@neeto-bugwatch neeto-bugwatch bot Nov 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current approach of simply wrapping the value in double quotes might not correctly handle environment variables that already contain special characters like quotes or backslashes, potentially leading to invalid YAML. For a more robust solution, consider using a standard library method for serialization, such as value.to_json or YAML.dump(value).strip, which will handle all necessary escaping correctly.

@yedhink
Copy link

yedhink commented Nov 14, 2025

@prabodh-panda Can we either close this PR or make it ready for review?

@prabodh-panda
Copy link
Member Author

prabodh-panda commented Nov 14, 2025

@yedhink I have a call scheduled with Unni today at 11 to discuss this issue. We can take action after that.

@prabodh-panda
Copy link
Member Author

prabodh-panda commented Nov 14, 2025

This issue occurs only in Rails 7.1. Secvault works as expected in Rails 7.2, so we can close this PR.

@prabodh-panda prabodh-panda mentioned this pull request Nov 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@neeto-bugwatch neeto-bugwatch[bot] neeto-bugwatch[bot] requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Invalid environment variable causes entire object to be null

2 participants

@prabodh-panda @yedhink