fix(dotenv): introduce safe parsing of .env files (#13778)

* fix(dotenv): expect explicit yes before loading .env file * fix(dotenv): implement secure parsing for .env files and add comprehensive tests * feat(dotenv): check for .env file size to prevent DoS * fix(dotenv): forbid setting special variables * fix(dotenv): FIFO shouldn't be read twice * fix(dotenv): unknown vars should expand to empty * fix(dotenv): reject extremely large named pipes * docs(dotenv): update to new parsing system * fix(dotenv): add support for escaped dollars * chore(dotenv): only declare local variables once * fix(dotenv): apply review suggestions * docs(dotenv): update test instructions Co-authored-by: Carlo Sala <carlosalag@protonmail.com>
2026-05-31 08:18:26 +00:00 · 2026-05-28 20:23:45 +02:00
parent c90141ed77
commit d170d18746
10 changed files with 1219 additions and 12 deletions
--- a/plugins/dotenv/.zunit.yml
+++ b/plugins/dotenv/.zunit.yml
@@ -0,0 +1,9 @@
+tap: false
+directories:
+  tests: tests
+  output: tests/_output
+  support: tests/_support
+time_limit: 0
+fail_fast: false
+allow_risky: false
+verbose: false