fix(dotenv): introduce safe parsing of .env files (#13778)

* fix(dotenv): expect explicit yes before loading .env file * fix(dotenv): implement secure parsing for .env files and add comprehensive tests * feat(dotenv): check for .env file size to prevent DoS * fix(dotenv): forbid setting special variables * fix(dotenv): FIFO shouldn't be read twice * fix(dotenv): unknown vars should expand to empty * fix(dotenv): reject extremely large named pipes * docs(dotenv): update to new parsing system * fix(dotenv): add support for escaped dollars * chore(dotenv): only declare local variables once * fix(dotenv): apply review suggestions * docs(dotenv): update test instructions Co-authored-by: Carlo Sala <carlosalag@protonmail.com>
2026-05-29 04:53:17 +02:00 · 2026-05-28 20:23:45 +02:00 · 2026-05-28 20:23:45 +02:00 · d170d18746
commit d170d18746
parent c90141ed77
10 changed files with 1219 additions and 12 deletions
--- a/plugins/dotenv/tests/compatibility.zunit
+++ b/plugins/dotenv/tests/compatibility.zunit
@ -0,0 +1,27 @@
+#!/usr/bin/env zunit
+
+@setup {
+  unset DOTENV_TEST_VARS DOTENV_SOURCE_VARS 2>/dev/null
+}
+
+@teardown {
+  unset DOTENV_TEST_VARS DOTENV_SOURCE_VARS 2>/dev/null
+}
+
+@test 'compatibility: dotenvjs fixture matches native source' {
+  local fixture="${testdir:A}/_support/fixtures/dotenvjs.env"
+
+  _parse_dotenv_test "$fixture"
+  _source_with_allexport "$fixture"
+
+  assert "DOTENV_TEST_VARS" var_same_as "DOTENV_SOURCE_VARS"
+}
+
+@test 'compatibility: features fixture matches native source' {
+  local fixture="${testdir:A}/_support/fixtures/features.env"
+
+  _parse_dotenv_test "$fixture"
+  _source_with_allexport "$fixture"
+
+  assert "DOTENV_TEST_VARS" var_same_as "DOTENV_SOURCE_VARS"
+}