Stabilize job environment variable injection

2025-10-26 17:21:58 -06:00 · 2025-10-03 18:47:00 -06:00
parent 8e83939ee8
commit 38863be334
4 changed files with 124 additions and 24 deletions
--- a/Data/Server/server.py
+++ b/Data/Server/server.py
@@ -2816,6 +2816,35 @@ def _safe_filename(rel_path: str) -> str:
        return rel_path or ""


+def _canonical_env_key(name: Any) -> str:
+    try:
+        return re.sub(r"[^A-Za-z0-9_]", "_", str(name or "").strip()).upper()
+    except Exception:
+        return ""
+
+
+def _expand_env_aliases(env_map: Dict[str, str], variables: List[Dict[str, Any]]) -> Dict[str, str]:
+    expanded: Dict[str, str] = dict(env_map or {})
+    if not isinstance(variables, list):
+        return expanded
+    for var in variables:
+        if not isinstance(var, dict):
+            continue
+        name = str(var.get("name") or "").strip()
+        if not name:
+            continue
+        canonical = _canonical_env_key(name)
+        if not canonical or canonical not in expanded:
+            continue
+        value = expanded[canonical]
+        alias = re.sub(r"[^A-Za-z0-9_]", "_", name)
+        if alias and alias not in expanded:
+            expanded[alias] = value
+        if alias != name and re.match(r"^[A-Za-z_][A-Za-z0-9_]*$", name) and name not in expanded:
+            expanded[name] = value
+    return expanded
+
+
@app.route("/api/scripts/quick_run", methods=["POST"])
 def scripts_quick_run():
    """Queue a Quick Job to agents via WebSocket and record Running status.
@@ -2860,7 +2889,7 @@ def scripts_quick_run():
        name = str(var.get("name") or "").strip()
        if not name:
            continue
-        env_key = re.sub(r"[^A-Za-z0-9_]", "_", name.upper())
+        env_key = _canonical_env_key(name)
        default_val = var.get("default")
        if default_val is None and "defaultValue" in var:
            default_val = var.get("defaultValue")
@@ -2877,7 +2906,7 @@ def scripts_quick_run():
            if not name:
                continue
            overrides[name] = val
-            env_key = re.sub(r"[^A-Za-z0-9_]", "_", name.upper())
+            env_key = _canonical_env_key(name)
            env_map[env_key] = _env_string(val)

    variables: List[Dict[str, Any]] = []
@@ -2896,6 +2925,7 @@ def scripts_quick_run():
    for name, val in overrides.items():
        if name not in doc_names:
            variables.append({"name": name, "value": val})
+    env_map = _expand_env_aliases(env_map, variables)
    timeout_seconds = 0
    try:
        timeout_seconds = max(0, int(doc.get("timeout_seconds") or 0))