fix(cli/env): preserve values that contain quotes, newlines, or backslashes#208
Open
Sanjays2402 wants to merge 1 commit into
Open
fix(cli/env): preserve values that contain quotes, newlines, or backslashes#208Sanjays2402 wants to merge 1 commit into
Sanjays2402 wants to merge 1 commit into
Conversation
…lashes The env file writer wrapped values containing whitespace in double quotes but never escaped embedded quotes or backslashes, and the reader stripped outer quote characters even when they were legitimate parts of the value. This caused silent data corruption on round-trip: - "value with leading quote -> read back as value with leading quote - value with trailing quote" -> read back as value with trailing quote - "quoted" -> read back as quoted (idempotency broken) - line1\nline2 -> read back as line1 (second line dropped) Any wizard re-run would then persist the corrupted value. Switches to quote-only-when-needed with proper escaping of quotes, backslashes, and control characters (\\n, \\r, \\t), and a matching reader that decodes the escape sequences in a single pass. Values outside double quotes are returned verbatim so legacy single-quoted values and unquoted values continue to round-trip unchanged. Adds tests/test_env.py covering the four corruption cases, idempotency across repeated writes, legacy single-quoted reads, key preservation, and empty-value deletion.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes silent data corruption in the env-file round-trip used by the CLI setup wizard. Values that contain quotes, newlines, or backslashes are no longer mangled when written and read back.
Why
sre_agent.cli.env._escape_env_valuewraps values containing whitespace in double quotes, but it never escapes embedded"or\characters.read_env_filethen strips outer quotes unconditionally with.strip("\"'"). This makes several realistic inputs corrupt on the first round-trip, and the corrupted value is persisted the next time the wizard runs:"hello(leading quote)KEY="hellohellohello"(trailing quote)KEY=hello"hello"quoted"KEY="quoted"quoted(idempotency broken)line1\nline2KEY="line1\nline2"(literal newline)line1(second line silently dropped)Repro (on
main, before this change):Anthropic / GitHub / Slack tokens, AWS access keys, and proxy URLs can all contain characters that trip this: e.g. a wizard user pasting an accidentally-quoted secret has it silently unquoted on the next read, and the fixed-up value overwrites the original on the next wizard run.
How
_escape_env_valuenow quotes whenever any shell-special char appears (whitespace,",',\, leading#) and escapes embedded\,",\n,\r, and\t._decode_double_quotedhelper decodes the body of a double-quoted value in a single pass (unknown escapes are preserved verbatim, matching common.envparsers).read_env_filedelegates quote handling to_unescape_env_value, which only unwraps values that are surrounded by matching quotes — unquoted values that happen to contain a leading/trailing quote are preserved.KEY='value with space') still read cleanly.Extra
Adds
tests/test_env.pycovering:write → read → write → readidempotency on"quoted"No new dependencies.
Checklist
uv run pytest tests/→ 17 passed)Also verified locally:
uv tool run ruff check src/sre_agent/cli/env.py tests/test_env.py→ cleanuv tool run ruff format --check→ cleanuv run mypy src/sre_agent/cli/env.py→Success: no issues found in 1 source fileType of change
Bug fix.