From e0627b0aa19f76656136c9dc10af93459c656a81 Mon Sep 17 00:00:00 2001 From: Hung-Che Lo Date: Fri, 17 Apr 2026 15:27:06 +0000 Subject: [PATCH] fix(helm): escape all user-supplied TOML string values with toJson Replace raw string interpolation "{{ $v }}" with {{ $v | toJson }} across all user-supplied string fields in configmap.yaml: - env values (injection risk with quotes/backslashes) - command, working_dir - discord/slack allow_bot_messages, slack allow_user_messages - stt model, base_url toJson produces a valid JSON string (with quotes and escaping), which is compatible with TOML basic string syntax. Existing values without special characters render identically. Fields NOT changed (no user input): - bot_token, app_token, api_key: use env var placeholders (${...}) - allowed_channels, allowed_users, trusted_bot_ids: already use toJson - args: already uses toJson --- charts/openab/templates/configmap.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/openab/templates/configmap.yaml b/charts/openab/templates/configmap.yaml index 84dcb1d..e0c4a61 100644 --- a/charts/openab/templates/configmap.yaml +++ b/charts/openab/templates/configmap.yaml @@ -29,7 +29,7 @@ data: {{- if not (has $cfg.discord.allowBotMessages (list "off" "mentions" "all")) }} {{- fail (printf "agents.%s.discord.allowBotMessages must be one of: off, mentions, all — got: %s" $name $cfg.discord.allowBotMessages) }} {{- end }} - allow_bot_messages = "{{ $cfg.discord.allowBotMessages }}" + allow_bot_messages = {{ $cfg.discord.allowBotMessages | toJson }} {{- end }} {{- range $cfg.discord.trustedBotIds }} {{- if regexMatch "e\\+|E\\+" (toString .) }} @@ -64,7 +64,7 @@ data: {{- if not (has ($cfg.slack).allowBotMessages (list "off" "mentions" "all")) }} {{- fail (printf "agents.%s.slack.allowBotMessages must be one of: off, mentions, all — got: %s" $name ($cfg.slack).allowBotMessages) }} {{- end }} - allow_bot_messages = "{{ ($cfg.slack).allowBotMessages }}" + allow_bot_messages = {{ ($cfg.slack).allowBotMessages | toJson }} {{- end }} {{- if ($cfg.slack).trustedBotIds }} trusted_bot_ids = {{ ($cfg.slack).trustedBotIds | toJson }} @@ -73,16 +73,16 @@ data: {{- if not (has ($cfg.slack).allowUserMessages (list "involved" "mentions")) }} {{- fail (printf "agents.%s.slack.allowUserMessages must be one of: involved, mentions — got: %s" $name ($cfg.slack).allowUserMessages) }} {{- end }} - allow_user_messages = "{{ ($cfg.slack).allowUserMessages }}" + allow_user_messages = {{ ($cfg.slack).allowUserMessages | toJson }} {{- end }} {{- end }} [agent] - command = "{{ $cfg.command }}" + command = {{ $cfg.command | toJson }} args = {{ if $cfg.args }}{{ $cfg.args | toJson }}{{ else }}[]{{ end }} - working_dir = "{{ $cfg.workingDir | default "/home/agent" }}" + working_dir = {{ $cfg.workingDir | default "/home/agent" | toJson }} {{- if $cfg.env }} - env = { {{ $first := true }}{{ range $k, $v := $cfg.env }}{{ if not $first }}, {{ end }}{{ $k }} = "{{ $v }}"{{ $first = false }}{{ end }} } + env = { {{ $first := true }}{{ range $k, $v := $cfg.env }}{{ if not $first }}, {{ end }}{{ $k }} = {{ $v | toJson }}{{ $first = false }}{{ end }} } {{- end }} [pool] @@ -100,8 +100,8 @@ data: [stt] enabled = true api_key = "${STT_API_KEY}" - model = "{{ ($cfg.stt).model | default "whisper-large-v3-turbo" }}" - base_url = "{{ ($cfg.stt).baseUrl | default "https://api.groq.com/openai/v1" }}" + model = {{ ($cfg.stt).model | default "whisper-large-v3-turbo" | toJson }} + base_url = {{ ($cfg.stt).baseUrl | default "https://api.groq.com/openai/v1" | toJson }} {{- end }} {{- if $cfg.agentsMd }} AGENTS.md: |