Skip to content

fix(config): Implement strict envvar handling to prevent insecure text replacement #17966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mstrandboge merged 2 commits into from
Nov 15, 2025
Merged

fix(config): Implement strict envvar handling to prevent insecure text replacement #17966

mstrandboge merged 2 commits into from
Nov 15, 2025
+403 −9

Conversation

@srebhan
Copy link
Member

@srebhan srebhan commented Nov 10, 2025
edited
Loading

Summary

Implement a strict version of handling environment variables which uses the capabilities of TOML parsing instead of replacing the environment variables in the raw text. This comes at a cost of only being able to use environment variables
in string settings because the initial config file must be TOML conform.

Note

The strict handling requires to opt-in using the --strict-env-handling command-line option

Checklist

Related issues

@telegraf-tiger telegraf-tiger bot added the fix pr to fix corresponding bug label Nov 10, 2025
@srebhan srebhan mentioned this pull request Nov 10, 2025
Draft
2 tasks
skartikey
skartikey reviewed Nov 11, 2025
View reviewed changes
Copy link
Contributor

@skartikey skartikey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@srebhan Well designed and tested. Just one minor comment.

@srebhan srebhan requested a review from skartikey November 13, 2025 11:51
@telegraf-tiger
Copy link
Contributor

telegraf-tiger bot commented Nov 13, 2025

Download PR build artifacts for linux_amd64.tar.gz, darwin_arm64.tar.gz, and windows_amd64.zip.
Downloads for additional architectures and packages are available below.

☺️ This pull request doesn't significantly change the Telegraf binary size (less than 1%)

📦 Click here to get additional PR build artifacts

Artifact URLs

. DEB . RPM . TAR . GZ . ZIP
amd64.deb aarch64.rpm darwin_amd64.tar.gz windows_amd64.zip
arm64.deb armel.rpm darwin_arm64.tar.gz windows_arm64.zip
armel.deb armv6hl.rpm freebsd_amd64.tar.gz windows_i386.zip
armhf.deb i386.rpm freebsd_armv7.tar.gz
i386.deb ppc64le.rpm freebsd_i386.tar.gz
mips.deb riscv64.rpm linux_amd64.tar.gz
mipsel.deb s390x.rpm linux_arm64.tar.gz
ppc64el.deb x86_64.rpm linux_armel.tar.gz
riscv64.deb linux_armhf.tar.gz
s390x.deb linux_i386.tar.gz
linux_mips.tar.gz
linux_mipsel.tar.gz
linux_ppc64le.tar.gz
linux_riscv64.tar.gz
linux_s390x.tar.gz

@skartikey skartikey removed their assignment Nov 13, 2025
@skartikey skartikey added the ready for final review This pull request has been reviewed and/or tested by multiple users and is ready for a final review. label Nov 13, 2025
@mstrandboge mstrandboge merged commit 7341bbf into influxdata:master Nov 15, 2025
26 of 27 checks passed
@github-actions github-actions bot added this to the v1.36.4 milestone Nov 15, 2025
srebhan added a commit that referenced this pull request Nov 17, 2025
@srebhan
fix(config): Implement strict envvar handling to prevent insecure tex…
f1071ea 
…t replacement (#17966)

(cherry picked from commit 7341bbf)
@BrewTestBot BrewTestBot mentioned this pull request Nov 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skartikey skartikey skartikey approved these changes

@mstrandboge mstrandboge mstrandboge approved these changes

Assignees

@mstrandboge mstrandboge

Labels

area/configuration fix pr to fix corresponding bug ready for final review This pull request has been reviewed and/or tested by multiple users and is ready for a final review.

Projects

None yet

Milestone

v1.36.4

Development

Successfully merging this pull request may close these issues.

3 participants

@srebhan @skartikey @mstrandboge