fix: prevent command injection and fix developer view shared variables error (#8889)

2026-03-11 06:42:12 +01:00 · 2026-03-11 06:42:12 +01:00 · 96b35bd2d8
commit 96b35bd2d8
parent d9cdbc6096 5cac559602
4 changed files with 88 additions and 3 deletions
--- a/app/Livewire/SharedVariables/Environment/Show.php
+++ b/app/Livewire/SharedVariables/Environment/Show.php
@ -139,7 +139,9 @@ private function deleteRemovedVariables($variables)
    private function updateOrCreateVariables($variables)
    {
        $count = 0;
-        foreach ($variables as $key => $value) {
+        foreach ($variables as $key => $data) {
+            $value = is_array($data) ? ($data['value'] ?? '') : $data;
+
            $found = $this->environment->environment_variables()->where('key', $key)->first();

            if ($found) {
--- a/app/Livewire/SharedVariables/Project/Show.php
+++ b/app/Livewire/SharedVariables/Project/Show.php
@ -130,7 +130,9 @@ private function deleteRemovedVariables($variables)
    private function updateOrCreateVariables($variables)
    {
        $count = 0;
-        foreach ($variables as $key => $value) {
+        foreach ($variables as $key => $data) {
+            $value = is_array($data) ? ($data['value'] ?? '') : $data;
+
            $found = $this->project->environment_variables()->where('key', $key)->first();

            if ($found) {
--- a/app/Livewire/SharedVariables/Team/Index.php
+++ b/app/Livewire/SharedVariables/Team/Index.php
@ -129,7 +129,9 @@ private function deleteRemovedVariables($variables)
    private function updateOrCreateVariables($variables)
    {
        $count = 0;
-        foreach ($variables as $key => $value) {
+        foreach ($variables as $key => $data) {
+            $value = is_array($data) ? ($data['value'] ?? '') : $data;
+
            $found = $this->team->environment_variables()->where('key', $key)->first();

            if ($found) {
--- a/tests/Feature/SharedVariableDevViewTest.php
+++ b/tests/Feature/SharedVariableDevViewTest.php
@ -0,0 +1,79 @@
+<?php
+
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\SharedEnvironmentVariable;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->user = User::factory()->create();
+    $this->team = Team::factory()->create();
+    $this->user->teams()->attach($this->team, ['role' => 'admin']);
+
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create([
+        'project_id' => $this->project->id,
+    ]);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+});
+
+test('environment shared variable dev view saves without openssl_encrypt error', function () {
+    Livewire::test(\App\Livewire\SharedVariables\Environment\Show::class)
+        ->set('variables', "MY_VAR=my_value\nANOTHER_VAR=another_value")
+        ->call('submit')
+        ->assertHasNoErrors();
+
+    $vars = $this->environment->environment_variables()->pluck('value', 'key')->toArray();
+    expect($vars)->toHaveKey('MY_VAR')
+        ->and($vars['MY_VAR'])->toBe('my_value')
+        ->and($vars)->toHaveKey('ANOTHER_VAR')
+        ->and($vars['ANOTHER_VAR'])->toBe('another_value');
+});
+
+test('project shared variable dev view saves without openssl_encrypt error', function () {
+    Livewire::test(\App\Livewire\SharedVariables\Project\Show::class)
+        ->set('variables', 'PROJ_VAR=proj_value')
+        ->call('submit')
+        ->assertHasNoErrors();
+
+    $vars = $this->project->environment_variables()->pluck('value', 'key')->toArray();
+    expect($vars)->toHaveKey('PROJ_VAR')
+        ->and($vars['PROJ_VAR'])->toBe('proj_value');
+});
+
+test('team shared variable dev view saves without openssl_encrypt error', function () {
+    Livewire::test(\App\Livewire\SharedVariables\Team\Index::class)
+        ->set('variables', 'TEAM_VAR=team_value')
+        ->call('submit')
+        ->assertHasNoErrors();
+
+    $vars = $this->team->environment_variables()->pluck('value', 'key')->toArray();
+    expect($vars)->toHaveKey('TEAM_VAR')
+        ->and($vars['TEAM_VAR'])->toBe('team_value');
+});
+
+test('environment shared variable dev view updates existing variable', function () {
+    SharedEnvironmentVariable::create([
+        'key' => 'EXISTING_VAR',
+        'value' => 'old_value',
+        'type' => 'environment',
+        'environment_id' => $this->environment->id,
+        'project_id' => $this->project->id,
+        'team_id' => $this->team->id,
+    ]);
+
+    Livewire::test(\App\Livewire\SharedVariables\Environment\Show::class)
+        ->set('variables', 'EXISTING_VAR=new_value')
+        ->call('submit')
+        ->assertHasNoErrors();
+
+    $var = $this->environment->environment_variables()->where('key', 'EXISTING_VAR')->first();
+    expect($var->value)->toBe('new_value');
+});