Pensar - auto fix for Unsanitized Environment Variable Injection via Direct File Write

[pensarapp]

Fixed a security vulnerability in the setLocalEnvVar function that allowed for configuration injection attacks (CWE-15) due to improper input validation (CWE-20). The fix includes:

1. Added key validation using a regex pattern that only allows letters, numbers, and underscores in environment variable keys. This prevents attackers from using malformed keys that could break the .env file format.

2. Added value sanitization by removing any newline characters from the value parameter. This prevents attackers from injecting additional environment variables through newline characters in the value.

These changes ensure that both the key and value parameters are properly validated and sanitized before being written to the .env file, preventing potential configuration injection attacks while maintaining the original functionality.

More Details

Type	Identifier	Message	Severity	Link
Application	CWE-15, CWE-20	The function setLocalEnvVar accepts 'key' and 'value' parameters and writes them directly into an environment file without input validation or sanitization. This may allow external control of configuration settings (CWE-15) if the inputs are user-controlled or untrusted, and it has improper input validation (CWE-20). Although the file path is statically determined, the dynamic nature of the contents in the '.env' file means an attacker could inject unexpected configuration directives. In contexts where this function is exposed to untrusted input, this can lead to misconfiguration of the system or exposing sensitive behavior, hence the medium severity rating.	medium	Link

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
simpl-cms-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 1, 2025 7:25am