From ad744ec728c694b2212cfc2e03bcaff892cfbbc8 Mon Sep 17 00:00:00 2001 From: 0X-SquidSol Date: Tue, 7 Apr 2026 20:55:25 -0400 Subject: [PATCH] fix: validate environment variable key names before writing to .env files writeEnvVar and addEnvVar accepted arbitrary key names without validation. A key containing shell metacharacters (e.g. KEY=$(cmd)) could cause command injection when the .env file is sourced. Both functions now reject keys that don't match the POSIX standard for environment variable names. Co-Authored-By: Claude Opus 4.6 (1M context) --- electron/services/EnvService.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/electron/services/EnvService.ts b/electron/services/EnvService.ts index 66b2c28..e9a358c 100644 --- a/electron/services/EnvService.ts +++ b/electron/services/EnvService.ts @@ -20,6 +20,7 @@ const SECRET_PATTERNS: Array<{ pattern: string; label: string }> = [ ] const ENV_FILE_NAMES = ['.env', '.env.local', '.env.production', '.env.staging', '.env.development'] +const VALID_ENV_KEY = /^[A-Za-z_][A-Za-z0-9_]*$/ const VERCEL_TOKEN_PATTERN = /^[A-Za-z0-9]{24,}$/ const VERCEL_API_BASE = 'https://api.vercel.com' @@ -152,6 +153,7 @@ export function scanAllProjects(): UnifiedKey[] { } export function writeEnvVar(filePath: string, key: string, newValue: string): void { + if (!VALID_ENV_KEY.test(key)) throw new Error(`Invalid environment variable name: "${key}"`) const content = fs.readFileSync(filePath, 'utf8') const lines = content.split('\n') let found = false @@ -186,6 +188,7 @@ export function writeEnvVar(filePath: string, key: string, newValue: string): vo } export function addEnvVar(filePath: string, key: string, value: string): void { + if (!VALID_ENV_KEY.test(key)) throw new Error(`Invalid environment variable name: "${key}"`) let content = '' if (fs.existsSync(filePath)) { content = fs.readFileSync(filePath, 'utf8')