feat: allow safe environment variable defaults in array-format volumes

Changes: - Extended validateDockerComposeForInjection to recognize env vars with defaults - Added pattern check for ${VAR:-default} format alongside simple ${VAR} check - Maintains consistency with parseDockerVolumeString behavior for string format Test coverage: - Added test for safe environment variable defaults in array format - Verifies ${DATA_PATH:-./data} is allowed in array-format volumes - All 79 security tests pass (215 assertions) This allows users to specify environment variables with safe default values in array-format Docker Compose volumes, matching the behavior already supported in string-format volumes.
2026-04-17 17:21:04 +00:00 · 2025-10-16 09:08:54 +02:00
parent 728f261316
commit 97868c3264
2 changed files with 27 additions and 1 deletions
--- a/bootstrap/helpers/parsers.php
+++ b/bootstrap/helpers/parsers.php
@@ -59,8 +59,11 @@ function validateDockerComposeForInjection(string $composeYaml): void
                    if (isset($volume['source'])) {
                        $source = $volume['source'];
                        if (is_string($source)) {
+                            // Allow simple env vars and env vars with defaults (validated in parseDockerVolumeString)
                            $isSimpleEnvVar = preg_match('/^\$\{[a-zA-Z_][a-zA-Z0-9_]*\}$/', $source);
-                            if (! $isSimpleEnvVar) {
+                            $isEnvVarWithDefault = preg_match('/^\$\{[^}]+:-[^}]*\}$/', $source);
+
+                            if (! $isSimpleEnvVar && ! $isEnvVarWithDefault) {
                                try {
                                    validateShellSafePath($source, 'volume source');
                                } catch (\Exception $e) {