fix(dashboard-api): reject newlines and null bytes in env editor values

Lightheartdevs · claude · Lightheartdevs · commit 0af6f0e4ade3 · 2026-04-08T09:49:31.000-04:00
Adds validation in _serialize_form_values to reject values containing \n, \r, or \0. Prevents .env injection where a value like "3010\nINJECTED_KEY=malicious" could write an extra line to .env. Not exploitable in the current architecture (Docker Compose and Python dotenv treat values as literal strings), but closes a defense-in-depth gap identified during the #854 security audit. Adds 2 tests: newline injection rejected (400), null byte rejected (400). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/dream-server/extensions/services/dashboard-api/main.py b/dream-server/extensions/services/dashboard-api/main.py
@@ -520,6 +520,12 @@ def _serialize_form_values(
 
     for key, field in fields.items():
         value = raw_values.get(key, current_values.get(key, ""))
+        # Reject newlines and null bytes to prevent .env injection
+        if value is not None and any(c in str(value) for c in ("\n", "\r", "\0")):
+            raise HTTPException(
+                status_code=400,
+                detail=f"Value for '{key}' contains invalid characters (newlines or null bytes are not allowed)",
+            )
         if value is None:
             serialized[key] = current_values.get(key, "") if field.get("secret") else ""
             continue
diff --git a/dream-server/extensions/services/dashboard-api/tests/test_settings_env.py b/dream-server/extensions/services/dashboard-api/tests/test_settings_env.py
@@ -185,3 +185,35 @@ def test_api_settings_env_allows_existing_local_override(test_client, settings_e
     assert response.status_code == 200
     updated_env = env_path.read_text(encoding="utf-8")
     assert "LOCAL_OVERRIDE=updated" in updated_env
+
+
+def test_api_settings_env_rejects_newline_in_value(test_client, settings_env_fixture):
+    response = test_client.put(
+        "/api/settings/env",
+        headers=test_client.auth_headers,
+        json={
+            "mode": "form",
+            "values": {
+                "LLM_BACKEND": "local\nINJECTED_KEY=malicious",
+            },
+        },
+    )
+
+    assert response.status_code == 400
+    assert "invalid characters" in response.json()["detail"]
+
+
+def test_api_settings_env_rejects_null_byte_in_value(test_client, settings_env_fixture):
+    response = test_client.put(
+        "/api/settings/env",
+        headers=test_client.auth_headers,
+        json={
+            "mode": "form",
+            "values": {
+                "LLM_BACKEND": "local\x00injected",
+            },
+        },
+    )
+
+    assert response.status_code == 400
+    assert "invalid characters" in response.json()["detail"]
