WIP

Bump rack from 3.1.8 to 3.1.10 in the bundler group across 1 directory

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:3.3-alpine
+FROM ruby:3.4-alpine
 
 # Install docker/buildx-bin
 COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
@@ -13,9 +13,9 @@ COPY Gemfile Gemfile.lock kamal.gemspec ./
 COPY lib/kamal/version.rb /kamal/lib/kamal/version.rb
 
 # Install system dependencies
-RUN apk add --no-cache build-base git docker openrc openssh-client-default \
+RUN apk add --no-cache build-base git docker openrc openssh-client-default yaml-dev \
     && rc-update add docker boot \
-    && gem install bundler --version=2.4.3 \
+    && gem install bundler --version=2.6.5 \
     && bundle install
 
 # Copy the rest of our application code into the container.

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    kamal (2.5.1)
+    kamal (2.5.3)
       activesupport (>= 7.0)
       base64 (~> 0.2)
       bcrypt_pbkdf (~> 1.0)
@@ -48,8 +48,6 @@ GEM
     ast (2.4.2)
     base64 (0.2.0)
     bcrypt_pbkdf (1.1.1)
-    bcrypt_pbkdf (1.1.1-arm64-darwin)
-    bcrypt_pbkdf (1.1.1-x86_64-darwin)
     benchmark (0.4.0)
     bigdecimal (3.1.8)
     builder (3.3.0)
@@ -84,11 +82,15 @@ GEM
     net-sftp (4.0.0)
       net-ssh (>= 5.0.0, < 8.0.0)
     net-ssh (7.3.0)
-    nokogiri (1.17.2-arm64-darwin)
+    nokogiri (1.18.3-aarch64-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.17.2-x86_64-darwin)
+    nokogiri (1.18.3-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.17.2-x86_64-linux)
+    nokogiri (1.18.3-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.18.3-x86_64-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.3-x86_64-linux-musl)
       racc (~> 1.4)
     ostruct (0.6.1)
     parallel (1.26.3)
@@ -99,7 +101,7 @@ GEM
       date
       stringio
     racc (1.8.1)
-    rack (3.1.8)
+    rack (3.1.10)
     rack-session (2.0.0)
       rack (>= 3.0.0)
     rack-test (2.1.0)
@@ -177,9 +179,11 @@ GEM
     zeitwerk (2.7.1)
 
 PLATFORMS
+  aarch64-linux-musl
   arm64-darwin
   x86_64-darwin
   x86_64-linux
+  x86_64-linux-musl
 
 DEPENDENCIES
   debug
@@ -189,4 +193,4 @@ DEPENDENCIES
   rubocop-rails-omakase
 
 BUNDLED WITH
-   2.4.3
+   2.6.5

lib/kamal/secrets/dotenv/inline_command_substitution.rb

@@ -4,9 +4,36 @@ class Kamal::Secrets::Dotenv::InlineCommandSubstitution
       ::Dotenv::Parser.substitutions.map! { |sub| sub == ::Dotenv::Substitutions::Command ? self : sub }
     end
 
+    # Improved version of Dotenv::Substitutions::Command's INTERPOLATED_SHELL_COMMAND
+    # Handles:
+    #   $(echo 'foo)')
+    #   $(echo "foo)")
+    #   $(echo foo\))
+    #   $(echo "foo\")")
+    #   $(echo foo\\)
+    #   $(echo 'foo'"'"')')
+    INTERPOLATED_SHELL_COMMAND = /
+      (?<backslash>\\)?         # (1) Optional backslash (escaped '$')
+      \$                        # (2) Match a literal '$' (start of command)
+      (?<cmd>                   # (3) Capture the command within '$()' as 'cmd'
+        \(                      # (4) Require an opening parenthesis '('
+        (?:                     # (5) Match either:
+          [^()\\'"]+            #     - Any non-parens, non-escape, non-quotes (normal chars)
+          | \\ (?!\)) .         #     - Escaped character (e.g., `\(`, `\'`, `\"`), but **not** `\)` alone
+          | \\\\ \)             #     - Special case: Match `\\)` as a literal `\)`
+          | '(?:[^'\\]* (?:\\.[^'\\]*)*)'  # - Single-quoted strings with escaped quotes (`\'`)
+          | "(?:[^"\\]* (?:\\.[^"\\]*)*)"  # - Double-quoted strings with escaped quotes (`\"`)
+          | '(?:[^']*)' (?:"[^"]*")*       # - Single-quoted, followed by optional mixed double-quoted parts
+          | "(?:[^"]*)" (?:'[^']*')*       # - Double-quoted, followed by optional mixed single-quoted parts
+          | \g<cmd>             #     - Nested `$()` expressions (recursive call)
+        )*                      # (6) Repeat to allow full parsing
+        \)                      # (7) Require a closing parenthesis ')'
+      )
+    /x
+
     def call(value, _env, overwrite: false)
       # Process interpolated shell commands
-      value.gsub(Dotenv::Substitutions::Command.singleton_class::INTERPOLATED_SHELL_COMMAND) do |*|
+      value.gsub(INTERPOLATED_SHELL_COMMAND) do |*|
         # Eliminate opening and closing parentheses
         command = $LAST_MATCH_INFO[:cmd][1..-2]
 

lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "2.5.1"
+  VERSION = "2.5.3"
 end

test/secrets_test.rb

@@ -34,6 +34,30 @@ class SecretsTest < ActiveSupport::TestCase
     end
   end
 
+  test "secret with open bracket" do
+    with_test_secrets("secrets" => "SECRET1=$(echo 'foo)')") do
+      assert_equal "foo)", Kamal::Secrets.new["SECRET1"]
+    end
+  end
+
+  test "secret with close bracket" do
+    with_test_secrets("secrets" => "SECRET1=$(echo 'foo(')") do
+      assert_equal "foo(", Kamal::Secrets.new["SECRET1"]
+    end
+  end
+
+  test "secret with escaped quote" do
+    with_test_secrets("secrets" => "SECRET1=$(echo \"foo\\\")") do
+      assert_equal "foo", Kamal::Secrets.new["SECRET1"]
+    end
+  end
+
+  test "secret with escaped single quote" do
+    with_test_secrets("secrets" => "SECRET1=  $(echo 'foo'\"'\"'bar')") do
+      assert_equal "foo'bar", Kamal::Secrets.new["SECRET1"]
+    end
+  end
+
   test "destinations" do
     with_test_secrets("secrets.dest" => "SECRET=DEF", "secrets" => "SECRET=ABC", "secrets-common" => "SECRET=GHI\nSECRET2=JKL") do
       assert_equal "ABC", Kamal::Secrets.new["SECRET"]