Skip to content

fix(dashboard-api): reject newlines and null bytes in env editor values#859

Merged
Lightheartdevs merged 1 commit intomainfrom
fix/env-editor-newline-validation
Apr 8, 2026
Merged

fix(dashboard-api): reject newlines and null bytes in env editor values#859
Lightheartdevs merged 1 commit intomainfrom
fix/env-editor-newline-validation

Conversation

@Lightheartdevs
Copy link
Copy Markdown
Collaborator

@Lightheartdevs Lightheartdevs commented Apr 8, 2026

Summary

Closes a defense-in-depth gap in the env editor (#854). Rejects values containing \n, \r, or \0 to prevent .env injection.

What was the gap

A submitted value like 3010\nINJECTED_KEY=malicious would write two lines to .env. Not exploitable in the current architecture (Docker Compose and Python dotenv treat it as a literal string), but a defense-in-depth gap.

Fix

4 lines added to _serialize_form_values in main.py:

if value is not None and any(c in str(value) for c in ("\n", "\r", "\0")):
    raise HTTPException(status_code=400, detail=f"Value for '{key}' contains invalid characters")

Tests

  • test_api_settings_env_rejects_newline_in_value — submits 3010\nINJECTED_KEY=malicious, asserts 400
  • test_api_settings_env_rejects_null_byte_in_value — submits 3010\x00injected, asserts 400

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 8, 2026

Sensitive Files Detected

Trigger: Security-sensitive files detected: .env

Files flagged:

dream-server/extensions/services/dashboard-api/tests/test_settings_env.py

Extra human review is recommended for this PR.

Claude Code Review | Sensitive File Detection | ~$1.50

@Lightheartdevs @claude
fix(dashboard-api): reject newlines and null bytes in env editor values
0af6f0e 
Adds validation in _serialize_form_values to reject values containing
\n, \r, or \0. Prevents .env injection where a value like
"3010\nINJECTED_KEY=malicious" could write an extra line to .env.

Not exploitable in the current architecture (Docker Compose and Python
dotenv treat values as literal strings), but closes a defense-in-depth
gap identified during the #854 security audit.

Adds 2 tests: newline injection rejected (400), null byte rejected (400).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Lightheartdevs Lightheartdevs force-pushed the fix/env-editor-newline-validation branch from fa6e20f to 0af6f0e Compare April 8, 2026 13:49
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 8, 2026

Sensitive Files Detected

Trigger: Security-sensitive files detected: .env

Files flagged:

dream-server/extensions/services/dashboard-api/tests/test_settings_env.py

Extra human review is recommended for this PR.

Claude Code Review | Sensitive File Detection | ~$1.50

@Lightheartdevs Lightheartdevs merged commit b291151 into main Apr 8, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Lightheartdevs