Merge pull request #16 from touchmegit1/dev

fix: improve environment variable loading in database scripts for enhanced security

Author: xukki241

.github/workflows/cd.yml

@@ -179,21 +179,20 @@ jobs:
               exit 1
             fi
 
-            # Load backend env even when file is owned by root (e.g. mode 600).
-            set -a
-            TMP_ENV="$(mktemp)"
-            if [ -r "$ENV_FILE" ]; then
-              cat "$ENV_FILE" > "$TMP_ENV"
-            else
+            if [ ! -r "$ENV_FILE" ]; then
               echo "No read permission for $ENV_FILE, loading via sudo..."
-              sudo cat "$ENV_FILE" > "$TMP_ENV"
             fi
 
-            # Normalize potential CRLF and source variables
-            sed -i 's/\r$//' "$TMP_ENV"
-            . "$TMP_ENV"
-            rm -f "$TMP_ENV"
-            set +a
+            # Read only required keys from backend.env (safe, no shell execution).
+            get_env_value() {
+              key="$1"
+              sudo sed -n "s/^${key}=//p" "$ENV_FILE" | tail -n 1 | tr -d '\r'
+            }
+
+            DB_USERNAME="$(get_env_value DB_USERNAME)"
+            DB_PASSWORD="$(get_env_value DB_PASSWORD)"
+            MYSQL_DATABASE="$(get_env_value MYSQL_DATABASE)"
+            MYSQL_ROOT_PASSWORD="$(get_env_value MYSQL_ROOT_PASSWORD)"
 
             : "${DB_USERNAME:=smalltrend}"
             : "${DB_PASSWORD:=1234}"

deploy/scripts/init-db-and-seed.sh

@@ -26,11 +26,14 @@ require_file "$SEED_FILE"
 
 cd "$DEPLOY_PATH"
 
-log "2/7" "Loading environment"
-set -a
-# shellcheck disable=SC1090
-. "$ENV_FILE"
-set +a
+log "2/7" "Reading required DB variables from backend.env"
+get_env_value() {
+  local key="$1"
+  sed -n "s/^${key}=//p" "$ENV_FILE" | tail -n 1 | tr -d '\r'
+}
+
+MYSQL_DATABASE="$(get_env_value MYSQL_DATABASE)"
+MYSQL_ROOT_PASSWORD="$(get_env_value MYSQL_ROOT_PASSWORD)"
 
 : "${MYSQL_DATABASE:=smalltrend}"
 : "${MYSQL_ROOT_PASSWORD:=root1234}"

deploy/scripts/reset-db-and-seed.sh

@@ -26,11 +26,14 @@ require_file "$SEED_FILE"
 
 cd "$DEPLOY_PATH"
 
-log "2/7" "Loading backend environment"
-set -a
-# shellcheck disable=SC1090
-. "$ENV_FILE"
-set +a
+log "2/7" "Reading required DB variables from backend.env"
+get_env_value() {
+  local key="$1"
+  sed -n "s/^${key}=//p" "$ENV_FILE" | tail -n 1 | tr -d '\r'
+}
+
+MYSQL_DATABASE="$(get_env_value MYSQL_DATABASE)"
+MYSQL_ROOT_PASSWORD="$(get_env_value MYSQL_ROOT_PASSWORD)"
 
 : "${MYSQL_DATABASE:=smalltrend}"
 : "${MYSQL_ROOT_PASSWORD:=root1234}"

frontend/.env.example

@@ -7,7 +7,7 @@
 # API CONFIGURATION
 # ===================================
 # URL backend API (không có trailing slash)
-VITE_API_BASE_URL=http://localhost:8081/api
+VITE_API_BASE_URL=/api
 
 # Timeout cho API calls (milliseconds)
 VITE_API_TIMEOUT=30000
@@ -66,4 +66,4 @@ VITE_LOYALTY_POINTS_PER_1000=1
 VITE_MAX_FILE_SIZE=10
 
 # Các định dạng ảnh cho phép
-VITE_ALLOWED_IMAGE_TYPES=image/jpeg,image/png,image/webp
+VITE_ALLOWED_IMAGE_TYPES=image/jpeg,image/png,image/webp