You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sanitisation of env var variables at the server side does not handle duplicates or empty names
Expected Behavior
Sanitise ENV VARs using well maintained, industry std package dotenv
Steps To Reproduce
Submit a API call with invalid data.
curl 'http://192.168.1.2:3000/api/v1/projects/abc123ab-abc1-abc1-abc1-abc1abc1abc1' \
-X 'PUT' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,es;q=0.7' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/json' \
-H 'Cookie: sid=ffu_aBC123aBC123aBC123aBC123aBC123aBC123aBC123_aBC123aBC123.aBC123aBC123aBC123aBC123aBC123aBC123' \
-H 'Origin: http://192.168.1.2:3000' \
-H 'Pragma: no-cache' \
-H 'User-Agent: Mozilla/5.0' \
--data-raw '{"settings":{"env":[{"name":"policy_item_editable","value":"This was defined in the template, but edited in the instance."},{"name":"INSTANCE_VAR","value":"This was added directly to the instance."},{"name":"\"FF_INSTANCE_NAME\"","value":"added via API."},{"name":"\" BAD_VAR\"","value":"added via API."},{"name":"\" BAD_VAR \"","value":"added via API."},{"name":"DUPLICATE","value":"added via API."},{"name":"DUPLICATE","value":"added via API."},{"name":"DUPLICATE","value":"added via API."},{"name":"","value":"empty name! Added via API."},{"name":"","value":"another empty name! Added via API."},{"name":"policy_item_locked","value":"Added via API."},{"name":"policy_item_editable","value":"Added via API."}]}}' \
--compressed \
--insecure
Environment
FlowForge version: 1.9.x (current)
Node.js version: NA
npm version: NA
Platform/OS: NA
Browser: NA
Have you provided an initial effort estimate for this issue?
I have provided an initial effort estimate
The text was updated successfully, but these errors were encountered:
Current Behavior
Related: #2372, #2501
Sanitisation of env var variables at the server side does not handle duplicates or empty names
Expected Behavior
Sanitise ENV VARs using well maintained, industry std package
dotenv
Steps To Reproduce
Submit a API call with invalid data.
Environment
Have you provided an initial effort estimate for this issue?
I have provided an initial effort estimate
The text was updated successfully, but these errors were encountered: