Fix Nixpacks null environment variable parsing error #7493
Conversation
Filter out null and empty environment variables when generating Nixpacks build configuration to prevent JSON parsing errors. Environment variables with null or empty values were being passed as `--env KEY=` which created invalid JSON with null values, causing deployment failures. This fix ensures only valid non-empty environment variables are included in both user-defined and auto-generated COOLIFY_* environment variables. 🤖 Generated with Claude Code Co-Authored-By: Claude <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR fixes a Nixpacks JSON parsing error that occurred when null or empty environment variables were passed to the Nixpacks build command. The fix adds filtering logic to exclude null and empty string values from both user-defined environment variables and COOLIFY_* system environment variables before they are included in Nixpacks --env arguments.
Key changes:
- Enhanced environment variable filtering in
generate_nixpacks_env_variables()to check for both null and empty strings - Applied filtering to both regular deployments and preview (pull request) deployments
- Added comprehensive unit tests covering various edge cases including null values, empty strings, zero values, and preview deployments
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| app/Jobs/ApplicationDeploymentJob.php | Added empty string validation ($value !== '') to the existing null checks when filtering environment variables for Nixpacks, preventing empty --env KEY= arguments that cause JSON parsing errors |
| tests/Unit/ApplicationDeploymentNixpacksNullEnvTest.php | Added comprehensive unit tests verifying null/empty value filtering, preservation of valid falsy values like "0" and "false", and proper handling of preview deployments |
| expect($envArgs)->not->toContain('COOLIFY_BRANCH'); | ||
|
|
||
| // Verify no environment variables end with just '=' (which indicates null/empty value) | ||
| expect($envArgs)->not->toMatch('/--env [A-Z_]+=$/'); |
There was a problem hiding this comment.
The regex pattern /--env [A-Z_]+=$/ uses the $ anchor which matches the end of the entire string, not individual variable entries. Since $envArgs is a space-separated string like "--env VAR1=val1 --env VAR2=val2", this pattern would only match if a variable with an empty value appears at the very end of the string.
Consider using /--env [A-Z_]+= / (already present on line 105) or /--env [A-Z_]+=(?: |$)/ to match empty values anywhere in the string, not just at the end.
| expect($envArgs)->not->toMatch('/--env [A-Z_]+=$/'); | |
| expect($envArgs)->not->toMatch('/--env [A-Z_]+=(?: |$)/'); |
| foreach ($this->application->nixpacks_environment_variables_preview as $env) { | ||
| if (! is_null($env->real_value)) { | ||
| if (! is_null($env->real_value) && $env->real_value !== '') { | ||
| $this->env_nixpacks_args->push("--env {$env->key}={$env->real_value}"); |
There was a problem hiding this comment.
Shell command injection risk: {$env->key} and {$env->real_value} are concatenated into --env {$env->key}={$env->real_value} and later used in nixpacks_command, which is executed via executeInDocker() (bash -c '...'). A crafted env var value with a single quote or shell metacharacters can terminate the quoting and inject arbitrary commands. Fix by executing nixpacks without a shell and passing arguments safely (array/argv), or by rigorously escaping both key and value for a single-quoted shell context and quoting KEY=VALUE, or by using an env-file input if available.
| $this->env_nixpacks_args->push("--env {$key}={$value}"); | ||
| // Only add environment variables with non-null and non-empty values | ||
| if (! is_null($value) && $value !== '') { | ||
| $this->env_nixpacks_args->push("--env {$key}={$value}"); |
There was a problem hiding this comment.
Shell command injection risk: {$key} and its $value are interpolated into --env {$key}={$value} and then included in nixpacks_command executed via executeInDocker() (bash -c '...'). If $value contains a single quote or shell metacharacters, it can break out of the quoting and run arbitrary commands inside the container. Fix by avoiding shell concatenation (invoke nixpacks directly without bash -c and pass args as an array), or at minimum escape for the single-quoted shell context and quote KEY=VALUE, or leverage an env-file mechanism if supported.
| foreach ($this->application->nixpacks_environment_variables as $env) { | ||
| if (! is_null($env->real_value)) { | ||
| if (! is_null($env->real_value) && $env->real_value !== '') { | ||
| $this->env_nixpacks_args->push("--env {$env->key}={$env->real_value}"); |
There was a problem hiding this comment.
Shell command injection risk: {$env->key} and {$env->real_value} are concatenated into --env {$env->key}={$env->real_value} and later embedded into nixpacks_command that runs via executeInDocker() (bash -c '...'). An attacker who can set an environment variable value containing a single quote or shell metacharacters can break out of the single-quoted context and execute arbitrary commands in the build container. Fix by avoiding shell string concatenation (execute nixpacks without bash -c and pass args as an array), or at minimum apply robust shell escaping to both key and value and wrap KEY=VALUE in quotes (e.g., escape ' as '�"'"' via str_replace), or use an env-file mechanism if supported.
|
Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. WalkthroughThis pull request refines environment variable handling in the ApplicationDeploymentJob by adding validation to exclude null and empty string values from Nixpacks build context. The changes filter environment variables when constructing build arguments, affecting both standard and preview environment deployments. A corresponding unit test suite validates the filtering logic, ensuring that null or empty variables are properly excluded while non-empty values are preserved, and verifies correct behavior across various scenarios including preview deployments and edge cases with zero or false string values. ✨ Finishing touches
🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: CodeRabbit UI Review profile: ASSERTIVE Plan: Pro 📒 Files selected for processing (2)
🧰 Additional context used📓 Path-based instructions (4)**/*.php📄 CodeRabbit inference engine (CLAUDE.md)
Files:
app/Jobs/**/*.php📄 CodeRabbit inference engine (CLAUDE.md)
Files:
tests/Unit/**/*.php📄 CodeRabbit inference engine (CLAUDE.md)
Files:
tests/**/*.php📄 CodeRabbit inference engine (CLAUDE.md)
Files:
🧬 Code graph analysis (2)app/Jobs/ApplicationDeploymentJob.php (4)
tests/Unit/ApplicationDeploymentNixpacksNullEnvTest.php (1)
🔇 Additional comments (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Changes
generate_nixpacks_env_variables()for both user-defined and COOLIFY_* environment variablesIssues
This ensures that environment variables with null or empty values are not passed to Nixpacks, preventing deployment failures.
/artifacts/thegameplan.json#6830