Escape secrets in inline command substitution

Kamal "inlines" calls to `kamal secrets` in the dotenv file, but the results of the calls were not being escaped properly. To "fix" this `kamal secrets fetch` escaped the JSON string before returning it. The two errors cancelled out, but it meant that the commands didn't work from a shell. To fix, we'll escape the inline command results and remove the escaping from `kamal secrets fetch`.
2024-09-30 10:45:11 +01:00
parent f331605efa
commit ff24fd9874
8 changed files with 22 additions and 20 deletions
--- a/lib/kamal/cli/secrets.rb
+++ b/lib/kamal/cli/secrets.rb
@@ -7,7 +7,7 @@ class Kamal::Cli::Secrets < Kamal::Cli::Base
  def fetch(*secrets)
    results = adapter(options[:adapter]).fetch(secrets, **options.slice(:account, :from).symbolize_keys)

-    return_or_puts JSON.dump(results).shellescape, inline: options[:inline]
+    return_or_puts JSON.dump(results), inline: options[:inline]
  end

  desc "extract", "Extract a single secret from the results of a fetch call"
--- a/lib/kamal/secrets/dotenv/inline_command_substitution.rb
+++ b/lib/kamal/secrets/dotenv/inline_command_substitution.rb
@@ -16,7 +16,7 @@ class Kamal::Secrets::Dotenv::InlineCommandSubstitution
        else
          if command =~ /\A\s*kamal\s*secrets\s+/
            # Inline the command
-            inline_secrets_command(command)
+            inline_secrets_command(command).shellescape
          else
            # Execute the command and return the value
            `#{command}`.chomp